view release on metacpan or  search on metacpan

AUBBC.pod  view on Meta::CPAN

=head1 NAME

AUBBC

=head1 SYNOPSIS

  use AUBBC;
  my $aubbc = AUBBC->new();

  my $message = 'Lets [b]Bold in HTML[/b]';

  print $aubbc->do_all_ubbc($message);

=head1 ABSTRACT

Advanced Universal Bulletin Board Code a Perl BBcode API

=head1 DESCRIPTION

AUBBC is a object oriented BBcode API designed as a developers tool for themes, wiki's, forums and other BBcode to HTML Parser needs.

Features:

1) Massive amount of supported tags.

2) Build your own tags to add custom made tags.

3) Full XSS Security for supported tags.

4) High Speed Parser

5) Assign security levels for links, images, build and code tags.

6) Protection for emails to hide them from harvesters.

7) Code download for code tags

8) Perl code highlighter in the code tags

9) Fully customizable settings.

The advantage of using this BBcode is to have the piece of mind of using a secure program,
to restrict the usage of HTML/XHTML elements and to make formatting of posts easy to people that have no HTML/XHTML skill.
Most sites that use these tags show a list of them and/or easy way to insert the tags to the form field by the user.

The [c] or code tags can highlight Perl code, highlighting the Perl code with CSS in HTML/XHTML,
and in the examples folder the tag_list.cgi file has a CSS code you could work from and now a setting to change to a costume highlighter function.
This module addresses many security issues the BBcode tags may have mainly cross site script also known as XSS.
Each message is escaped before it gets returned if script_escape is Enabled and checked for many types of security problems before that tag converts to HTML/XHTML.
The script_escape setting and method also converts the ' sign so the text can be stored in a SQL back-end.
Most of the free web portals use the | sign as the delimiter for the flat file database, the script_escape setting and method also converts that sign so the structure of the database is retained.

Allows easy conversion to HTML and XHTML, existing tags will convert to the HTML type set.

If there isn't a popular tag available this module provides a method to "Build your own tags" custom tags can help link to parts of the current web page, other web pages and add other HTML elements.

=head1 Security

Security advice to ensure the proper usage of this module.

=head2 Database Manipulation

The default settings of AUBBC.pm is not good for most forums, blogs, wiki's and bulletin boards
because by default AUBBC should work and be secure. The other reason is these programs will want some
of the user input editable and portable.

For editing and portability purposes you would want to retain the tags or user input as they typed it,
but always use the script_escape before saving to a back-end. This will allow you to change the settings
of AUBBC on the fly so the tags remain portable to setting changes.
The script_escape filter is vital to security for many reasons and provides a standard format for other
methods of AUBBC. There is a file in the examples folder called Database_Manipulation.pm that try's to explain what settings
to change and how to stay safe.

=head2 Mixing HTML and BBcode

Since the script_escape method will disable HTML and JavaScript, I came up with a way
to mix the two. The recommended use of mixing is for Administrator's of the program only,
because giving anyone the ability to post unfiltered codes is just wrong.

The mixing method is good for themes, information pages and wiki's just to name a few.

for some tags when script_escape is disabled you can just run do_all_ubbc on variables with HTML mixed
with BBcode and it will work because those tags didn't need the script_escape method to make them work,
but for other tags the script_escape method is needed.
So this is where my solution comes in.
see Mixing_HTML_and_BBcode.pm file in the examples folder

=head2 Build your own tags

When adding a custom tag you will have to remember that the methods for building
custom tags try's to secure the tags. But it can not be 100% secure without
the developer of the tag knowing if and what security issues the new tag may have.

The adding method restricts characters from being used in some variables of
the tags, like name and pattern.

See the other "Build your own tags" for usage

=head2 XSS protection and settings

The script_escape filter will disable XSS so the text of the code can be seen in
HTML/XHTML and the XSS code will not work in anyway.
Some parts use standard requirements allowing only these linking path formats:

 protocal://location/web/path/or/file
 /local/web/path/or/file

There are some uncontrollable security issues with allowing images [img] and link [url] auto-link tags,
you can disable [img] tags by setting "no_img => 1," to 1 as shown.
Security issues with the [url] and auto-link tags is not as bad since you have to click it to
get to the risky web site, unlike an image loading.

=head2 FYI

XHTML has better JavaScript security standards then HTML.
Developers can also use cookies with "httponly" flags to disable JavaScript from
reading that cookie, but the browsers must support it.
XSS, browser hijacking and other security risks can change by settings, browser vendors and program versions.

=head1 Tag Security Access

New to v4.05. Assign security levels for links, images, build and code tags.
Default settings allows all tags to be seen so there would be no changes needed
if you just wanted the latest version and not use this method yet.

This method works with your current authentication and will be explained more later.

Note: The smilies is not controled by this security.

=head2 User Security Levels

Default security levels are from low to high!!!

        # The array numbers >>:    0        1         2             3
        $aubbc->security_levels('Guest', 'User', 'Moderator','Administrator')

1) The security levels array needs to have the security levels from low to high in it!!

AUBBC.pod  view on Meta::CPAN

Enable or Disable UTF Tags Default 1 is Enabled, 0 is Disable.

=head2 smileys

Enable or Disable Smiley Tags Default 1 is Enabled, 0 is Disable.

=head2 highlight

Enable or Disable Code Highlight Default 1 is Enabled, 0 is Disable.

=head2 highlight_function

This can replace the highlighter of AUBBC with a custome one

must provide the text name of the pre-defined subroutine that receives the code
tags text and returns the highlighted text.

=head2 no_bypass

Enable or Disable User Tags for bypassing hole tag sets Default 0 is Disable, 1 is Enabled.
Bypass tag must be at the very beginning of the message!!!!
Must also be in the order of the "Bypass Tag list:" but not on a new line \n
and if #none is used the other bypass tags will not be removed.

Bypass Tag list:

        #none
        #noaubbc
        #nobuild
        #noutf
        #nosmileys

=head2 for_links

 Enable or Disable Tags for Links Default 0 is Disable, 1 is Enabled.

 Some AUBBC Tags are not good to use in a link like other links.

 If Enabled will only use the UTF and Smiley tags.

=head2 aubbc_escape

Enable or Disable AUBBC Tag Escape Default 1 is Enabled, 0 is Disable.

Escaping a Tag:

        [b]Stuff[/b] # Normal Tag Bold
        [b]]Stuff[/b]] # Escaped Tag Bold
        [[b]Stuff[[/b] # Escaped Tag Bold
        [[b]]Stuff[[/b]] # Escaped Tag Bold

 Small Bug if Enabled:

 Any use of ]] will equal ] and any [[ will equal [

=head2 no_img

Enable or Disable the [img] tags Default 0 allows the tags and 1 will just not
convert the tag.

There are some uncontrollable security issues with allowing anyone to post
an image link.

=head2 icon_image

Enable or Disable Custom Image Size Default 1 is Enabled, 0 is Disable.

If enabled will use the values from image_hight and image_width

in all Image Tags [img]/images/large_pic.gif[/img]

=head2 image_hight

The Default Image height is 60px.

Only used when icon_image is Enabled.

=head2 image_width

The Default Image width is 90px.

Only used when icon_image is Enabled.

=head2 image_border

Enable or Disable Image Border Default 0 is Disable, 1 is Enabled.

=head2 image_wrap

Enable or Disable Image wrap Default 1 is Enabled, 0 is Disable.

Enabled will add a space after each image & smiley's.

=head2 href_target

 Enable or Disable href target Default 0 is Disable, 1 is Enabled.

 Enabled will add target="_blank" to all href's.

=head2 images_url

Default is blank.

This is the link to your images folder and is only used for Smilies.

 For the smileis to work you must provide a URL.

example:

 smilies must be in /smilies folder

the images_url link must have the /smilies folder in it and not point directly to /smilies.

=head2 html_type

Default is 'html' and the only other support is 'xhtml'

=head2 fix_amp

Default is 1 Enabled and the only other setting is 0 to Disable.
This setting finds all the & that need to covert to the amp; html code name