AUBBC
view release on metacpan or search on metacpan
my %SMILEYS = ();
my %Build_AUBBC = ();
my %AUBBC = (
aubbc => 1,
utf => 1,
smileys => 1,
highlight => 1,
highlight_function => \&code_highlight,
no_bypass => 0,
for_links => 0,
aubbc_escape => 1,
no_img => 0,
icon_image => 1,
image_hight => '60',
image_width => '90',
image_border => '0',
image_wrap => ' ',
href_target => ' target="_blank"',
images_url => '',
html_type => ' /',
fix_amp => 1,
line_break => '1',
code_class => '',
code_extra => '',
code_download => '^Download above code^',
href_class => '',
quote_class => '',
quote_extra => '',
script_escape => 1,
protect_email => '0',
email_message => 'Contact Email',
highlight_class1 => '',
highlight_class2 => '',
highlight_class3 => '',
highlight_class4 => '',
highlight_class5 => '',
highlight_class6 => '',
highlight_class7 => '',
highlight_class8 => '',
sub new {
warn 'CREATING AUBBC '.$VERSION if $DEBUG_AUBBC;
if ($MEMOIZE && ! $do_f[7]) {
$do_f[7] = 1;
eval 'use Memoize' if ! defined $Memoize::VERSION;
unless ($@ || ! defined $Memoize::VERSION) {
Memoize::memoize('AUBBC::settings');
Memoize::memoize('AUBBC::smiley_hash');
Memoize::memoize('AUBBC::add_build_tag');
Memoize::memoize('AUBBC::do_all_ubbc');
Memoize::memoize('AUBBC::script_escape');
Memoize::memoize('AUBBC::html_to_text');
}
$aubbc_error .= $@."\n" if $@;
}
return bless {};
}
sub DESTROY {
warn 'DESTROY AUBBC '.$VERSION if $DEBUG_AUBBC;
}
$do_f[6] = 1;
}
}
sub do_all_ubbc {
my ($self,$message) = @_;
warn 'ENTER do_all_ubbc' if $DEBUG_AUBBC;
$msg = defined $message ? $message : '';
if ($msg) {
check_access();
$msg = $self->script_escape($msg,'') if $AUBBC{script_escape};
$msg =~ s/&(?!\#?\w+;)/&/g if $AUBBC{fix_amp};
if (!$AUBBC{no_bypass} && $msg =~ m/\A\#no/) {
$do_f[4] = 0 if $msg =~ s/\A\#none//;
if ($do_f[4]) {
$do_f[0] = 0 if $msg =~ s/\A\#noubbc//;
$do_f[1] = 0 if $msg =~ s/\A\#nobuild//;
$do_f[2] = 0 if $msg =~ s/\A\#noutf//;
$do_f[3] = 0 if $msg =~ s/\A\#nosmileys//;
}
warn 'START no_bypass' if $DEBUG_AUBBC && !$do_f[4];
}
if ($do_f[4]) {
escape_aubbc() if $AUBBC{aubbc_escape};
if (!$AUBBC{for_links}) {
do_ubbc($msg) if $do_f[0] && $AUBBC{aubbc};
do_build_tag() if $do_f[5] && $do_f[1];
}
do_unicode() if $do_f[2] && $AUBBC{utf};
do_smileys() if $do_f[6] && $do_f[3] && $AUBBC{smileys};
}
}
$msg =~ tr/\000//d if $AUBBC{aubbc_escape};
return $msg;
}
sub fix_message {
my $txt = shift;
$txt =~ s/\././g;
$txt =~ s/\:/:/g;
return $txt;
}
sub escape_aubbc {
warn 'ENTER escape_aubbc' if $DEBUG_AUBBC;
$msg =~ s/\[\[/\000[/g;
$msg =~ s/\]\]/\000]/g;
}
sub script_escape {
my ($self, $text, $option) = @_;
warn 'ENTER html_escape' if $DEBUG_AUBBC;
$text = '' unless defined $text;
if ($text) {
$text =~ s/(&|;)/$1 eq '&' ? '&' : ';'/ge;
if (!$option) {
$text =~ s/\t/ \ \ \ /g;
$text =~ s/ / \ /g;
}
$text =~ s/"/"/g;
$text =~ s/</</g;
$text =~ s/>/>/g;
9) Fully customizable settings.
The advantage of using this BBcode is to have the piece of mind of using a secure program,
to restrict the usage of HTML/XHTML elements and to make formatting of posts easy to people that have no HTML/XHTML skill.
Most sites that use these tags show a list of them and/or easy way to insert the tags to the form field by the user.
The [c] or code tags can highlight Perl code, highlighting the Perl code with CSS in HTML/XHTML,
and in the examples folder the tag_list.cgi file has a CSS code you could work from and now a setting to change to a costume highlighter function.
This module addresses many security issues the BBcode tags may have mainly cross site script also known as XSS.
Each message is escaped before it gets returned if script_escape is Enabled and checked for many types of security problems before that tag converts to HTML/XHTML.
The script_escape setting and method also converts the ' sign so the text can be stored in a SQL back-end.
Most of the free web portals use the | sign as the delimiter for the flat file database, the script_escape setting and method also converts that sign so the structure of the database is retained.
Allows easy conversion to HTML and XHTML, existing tags will convert to the HTML type set.
If there isn't a popular tag available this module provides a method to "Build your own tags" custom tags can help link to parts of the current web page, other web pages and add other HTML elements.
=cut
9) Fully customizable settings.
The advantage of using this BBcode is to have the piece of mind of using a secure program,
to restrict the usage of HTML/XHTML elements and to make formatting of posts easy to people that have no HTML/XHTML skill.
Most sites that use these tags show a list of them and/or easy way to insert the tags to the form field by the user.
The [c] or code tags can highlight Perl code, highlighting the Perl code with CSS in HTML/XHTML,
and in the examples folder the tag_list.cgi file has a CSS code you could work from and now a setting to change to a costume highlighter function.
This module addresses many security issues the BBcode tags may have mainly cross site script also known as XSS.
Each message is escaped before it gets returned if script_escape is Enabled and checked for many types of security problems before that tag converts to HTML/XHTML.
The script_escape setting and method also converts the ' sign so the text can be stored in a SQL back-end.
Most of the free web portals use the | sign as the delimiter for the flat file database, the script_escape setting and method also converts that sign so the structure of the database is retained.
Allows easy conversion to HTML and XHTML, existing tags will convert to the HTML type set.
If there isn't a popular tag available this module provides a method to "Build your own tags" custom tags can help link to parts of the current web page, other web pages and add other HTML elements.
=head1 Security
Security advice to ensure the proper usage of this module.
=head2 Database Manipulation
The default settings of AUBBC.pm is not good for most forums, blogs, wiki's and bulletin boards
because by default AUBBC should work and be secure. The other reason is these programs will want some
of the user input editable and portable.
For editing and portability purposes you would want to retain the tags or user input as they typed it,
but always use the script_escape before saving to a back-end. This will allow you to change the settings
of AUBBC on the fly so the tags remain portable to setting changes.
The script_escape filter is vital to security for many reasons and provides a standard format for other
methods of AUBBC. There is a file in the examples folder called Database_Manipulation.pm that try's to explain what settings
to change and how to stay safe.
=head2 Mixing HTML and BBcode
Since the script_escape method will disable HTML and JavaScript, I came up with a way
to mix the two. The recommended use of mixing is for Administrator's of the program only,
because giving anyone the ability to post unfiltered codes is just wrong.
The mixing method is good for themes, information pages and wiki's just to name a few.
for some tags when script_escape is disabled you can just run do_all_ubbc on variables with HTML mixed
with BBcode and it will work because those tags didn't need the script_escape method to make them work,
but for other tags the script_escape method is needed.
So this is where my solution comes in.
see Mixing_HTML_and_BBcode.pm file in the examples folder
=head2 Build your own tags
When adding a custom tag you will have to remember that the methods for building
custom tags try's to secure the tags. But it can not be 100% secure without
the developer of the tag knowing if and what security issues the new tag may have.
The adding method restricts characters from being used in some variables of
the tags, like name and pattern.
See the other "Build your own tags" for usage
=head2 XSS protection and settings
The script_escape filter will disable XSS so the text of the code can be seen in
HTML/XHTML and the XSS code will not work in anyway.
Some parts use standard requirements allowing only these linking path formats:
protocal://location/web/path/or/file
/local/web/path/or/file
There are some uncontrollable security issues with allowing images [img] and link [url] auto-link tags,
you can disable [img] tags by setting "no_img => 1," to 1 as shown.
Security issues with the [url] and auto-link tags is not as bad since you have to click it to
get to the risky web site, unlike an image loading.
#nosmileys
=head2 for_links
Enable or Disable Tags for Links Default 0 is Disable, 1 is Enabled.
Some AUBBC Tags are not good to use in a link like other links.
If Enabled will only use the UTF and Smiley tags.
=head2 aubbc_escape
Enable or Disable AUBBC Tag Escape Default 1 is Enabled, 0 is Disable.
Escaping a Tag:
[b]Stuff[/b] # Normal Tag Bold
[b]]Stuff[/b]] # Escaped Tag Bold
[[b]Stuff[[/b] # Escaped Tag Bold
[[b]]Stuff[[/b]] # Escaped Tag Bold
Default is 1 Enabled and the only other setting is 0 to Disable.
This setting finds all the & that need to covert to the amp; html code name
so the w3c xhtml validation checks ok.
=head2 line_break
Enable line_break "<br>\n" Default 1 , 2 is for the "<br>" older style
that has no new line, 0 is Disable.
This will turn any new line \n to the HTML line break <br>\n or <br> by the script_escape method and the other way around
with the html_to_text method.
=head2 code_class
Default is '' and this allows a custom class, style and/or JavaScript to be used in any of the [code] [c] tags.
must have a space before the text.
example:
=head2 quote_extra
Default is '' and this is for a custom message, code, image, est.. to be used after a [quote] tags.
example:
quote_extra => 'QUOTES AND SAYINGS DISPLAYED ON THIS BLOG ARE NOT WRITTEN BY THE AUTHOR OF THE BLOG.',
quote_extra => '<div style="clear: left"> </div>',
=head2 script_escape
This will turn on or off the sanitizer/escape security for the hole message.
Default is 1 on and 0 for Disable.
Notes: 1)The code highlighter works best with an escaped character format like the
script_escape => 1 setting can provide.
2) If this setting is disabled and a character escaping method or security filter is not used
can result is a security compromise of the AUBBC tags.
3) if Disabled the method "$message = $aubbc->script_escape($message);" can be used on the message as needed before do_all_ubbc() is called.
=head2 protect_email
Default is 1 and other possible values are (0, 2, 3, 4).
Can add a protection to hide emails in the [email] tag from email harvesters.
Not 100% fool proof.
}
else {
return 'Works Good 2';
}
}
sub get_some_tag {
my ($tag_name, $text_from_AUBBC) = @_;
$tag_name = lc($tag_name);
$text_from_AUBBC = $ENV{'REMOTE_ADDR'} if ($tag_name eq 'ip');
$text_from_AUBBC = $aubbc->script_escape($ENV{'HTTP_USER_AGENT'}) if ($tag_name eq 'agent');
return $text_from_AUBBC;
}
1;
=head2 $aubbc->remove_build_tag($name, $option);
There are two ways to use this.
1) Remove a single built tag: $aubbc->remove_build_tag($name);
Fixed - under the code tag in do_ubbc line " $do_f[8] = '' if $do_f[8]; "
should have been $do_f[9] = '' if $do_f[9];
v4.01 - 11/08/2010
Fixed - Bug that converts the true text typed to the HTML code name.
All parts of the module where effected by this bug, in the code tag if the
author ment & #59 ; it would show ; . This also caused a long standing bug with
typing any HTML code name and saving it to a backend.
this fix removes the HTML code name regex in do_unicode and had to add/move two
filters in "script_escape to conver the & to an amp and ; to #59;" and
"html_to_text to conver amp to & and #59 to ;". This fix also helped in allowing
the regex's for highlighting subroutines to be made.
Fixed - had to add a null byte marker to escape_aubbc so the code tag's
highlighter can detect the escaped character and change it back. In do_all_ubbc
All markers get removed before the message is returned because FireFox can see
the null bytes as an error.
Addition - Perl subroutine highlighting for the code tag highlighter. Had a
problem making this till this version because a HTML code name can look like
&TheName; and a Perl subroutine looked the same till ; got converted.
Addition - AUBBC::make_image($align,$src,$width,$height,$alt) this is useful enough
to mention once.
v3.13 - 09/30/2010
Addition - do_ubbc New built-in tag [list][*=1]... [*]... [/list], This will
follow XHTML or HTML Transitional element style and XHTML or HTML Strict will not
support the elements that tag [*=1] in the [list] will produce
(use the other enumerated List Block tags for XHTML or HTML Strict).
Addition - do_ubbc New built-in tag [em]Hello[/em]
Addition - New value for setting line_break 2 for old <br style. This effects script_escape.
Addition - This module now uses Memoize for a massive speed improvement.
If you thought it was fast before, I hope your sitting down when you bench this version. LOL
Addition - added setting highlight_function to replace the highlighting method
of AUBBC with a costume one.
Fixed - in do_ubbc the line breaks was invalidating HTML for List Block elements
Improvement - in do_all_ubbc changed defining $msg each time. there could have
Improvement - Massive speed improvement to the hole module and no features lost.
changed new for faster loading, the module uses vars for some variables,
re-spaced the hole code.
v2.10 - 08/31/2010 11:17:13
Addition - adding type 4 to add_build_tag this will use style 3 but will work
different then the other built functions. Type 4 will print the text defined in
function and not point to a defined Perl subroutine.
Addition - added line_break setting to have control over the script_escape and
html_to_text methods converting html line break <br> and new line \n
Addition - added fix_amp this setting finds all the & that need to covert to the amp; html code name
so the w3c xhtml validation checks ok.
Addition - added no_img this setting will allow some control for using [img] tags
for security reasons
Fixed - bug in settings_prep when a setting gets changed html_type could change
Improvement - in do_unicode removed then changed the two regexs to do a 3 in 1 filter.
Improvement - in html_to_text added a code to fix a <br> bug if ppl use html or xhtml line break.
Improvement - moved the pattern building code from do_build_tag to add_build_tag
so it only runs one time
Improvement - in add_build_tag using a hash array to store the build tag data so
there is no need to use split in do_build_tag
Improvement - in do_all_ubbc moved script_escape to a location where one call
to the function is needed
Improvement - in do_all_ubbc added check for undefined "$message" variable
Improvement - in script_escape added check for undefined "$text" variable
Improvement - in html_to_text added check for undefined "$html" variable
Improvement - in escape_aubbc converting the brackets one time with the html
code name so the filter will only need to run one time in do_all_ubbc. This
also fixes one bug in escape_aubbc
Removed - In script_escape removed the \cM regex, it is very rare that anyone will need
it so it wont be missed.
v2.0 - 10/07/2008 13:52:11
Fixed single tag [name] for build tags
Changed the regex in plain URL's
Removed bad patter setting and now using a more standard way to detect bad image tags
Changed add_build_tag() to use hash variable, see "Build your own tags" for the new style.
Changed the way functions should work for built tags, the custom function for built tags will receive the tag name and data of the tag. This is so one function can handle many tags.
Removed other site tags and setting other_sites_pattern, an example of them are in "Build your own tags"
Removed [time] tag, example in "Build your own tags".
Email now allows names with & sign
Now every message that is passed to do_all_ubbc() gets escaped before being returned if script_escape is Enabled.
All tags in %AUBBC_TAGS will only convert if lowercase.
"new" now uses the most standard referenced object method.
Removed DOS_prevent() method, since the script has been tested more and was causing a timing problem.
Removed [cd]#code[/cd] code tag, which had no code_class or code_extra.
Commented bad_pattern check for [email] tags, this security check is not needed because the next line will take care of all email tag security.
Fixed - under the code tag in do_ubbc line " $do_f[8] = '' if $do_f[8]; "
should have been $do_f[9] = '' if $do_f[9];
v4.01 - 11/08/2010
Fixed - Bug that converts the true text typed to the HTML code name.
All parts of the module where effected by this bug, in the code tag if the
author ment & #59 ; it would show ; . This also caused a long standing bug with
typing any HTML code name and saving it to a backend.
this fix removes the HTML code name regex in do_unicode and had to add/move two
filters in "script_escape to conver the & to an amp and ; to #59;" and
"html_to_text to conver amp to & and #59 to ;". This fix also helped in allowing
the regex's for highlighting subroutines to be made.
Fixed - had to add a null byte marker to escape_aubbc so the code tag's
highlighter can detect the escaped character and change it back. In do_all_ubbc
All markers get removed before the message is returned because FireFox can see
the null bytes as an error.
Addition - Perl subroutine highlighting for the code tag highlighter. Had a
problem making this till this version because a HTML code name can look like
&TheName; and a Perl subroutine looked the same till ; got converted.
Addition - AUBBC::make_image($align,$src,$width,$height,$alt) this is useful enough
to mention once.
v3.13 - 09/30/2010
Addition - do_ubbc New built-in tag [list][*=1]... [*]... [/list], This will
follow XHTML or HTML Transitional element style and XHTML or HTML Strict will not
support the elements that tag [*=1] in the [list] will produce
(use the other enumerated List Block tags for XHTML or HTML Strict).
Addition - do_ubbc New built-in tag [em]Hello[/em]
Addition - New value for setting line_break 2 for old <br style. This effects script_escape.
Addition - This module now uses Memoize for a massive speed improvement.
If you thought it was fast before, I hope your sitting down when you bench this version. LOL
Addition - added setting highlight_function to replace the highlighting method
of AUBBC with a costume one.
Fixed - in do_ubbc the line breaks was invalidating HTML for List Block elements
Improvement - in do_all_ubbc changed defining $msg each time. there could have
Improvement - Massive speed improvement to the hole module and no features lost.
changed new for faster loading, the module uses vars for some variables,
re-spaced the hole code.
v2.10 - 08/31/2010 11:17:13
Addition - adding type 4 to add_build_tag this will use style 3 but will work
different then the other built functions. Type 4 will print the text defined in
function and not point to a defined Perl subroutine.
Addition - added line_break setting to have control over the script_escape and
html_to_text methods converting html line break <br> and new line \n
Addition - added fix_amp this setting finds all the & that need to covert to the amp; html code name
so the w3c xhtml validation checks ok.
Addition - added no_img this setting will allow some control for using [img] tags
for security reasons
Fixed - bug in settings_prep when a setting gets changed html_type could change
Improvement - in do_unicode removed then changed the two regexs to do a 3 in 1 filter.
Improvement - in html_to_text added a code to fix a <br> bug if ppl use html or xhtml line break.
Improvement - moved the pattern building code from do_build_tag to add_build_tag
so it only runs one time
Improvement - in add_build_tag using a hash array to store the build tag data so
there is no need to use split in do_build_tag
Improvement - in do_all_ubbc moved script_escape to a location where one call
to the function is needed
Improvement - in do_all_ubbc added check for undefined "$message" variable
Improvement - in script_escape added check for undefined "$text" variable
Improvement - in html_to_text added check for undefined "$html" variable
Improvement - in escape_aubbc converting the brackets one time with the html
code name so the filter will only need to run one time in do_all_ubbc. This
also fixes one bug in escape_aubbc
Removed - In script_escape removed the \cM regex, it is very rare that anyone will need
it so it wont be missed.
v2.0 - 10/07/2008 13:52:11
Fixed single tag [name] for build tags
Changed the regex in plain URL's
Removed bad patter setting and now using a more standard way to detect bad image tags
Changed add_build_tag() to use hash variable, see "Build your own tags" for the new style.
Changed the way functions should work for built tags, the custom function for built tags will receive the tag name and data of the tag. This is so one function can handle many tags.
Removed other site tags and setting other_sites_pattern, an example of them are in "Build your own tags"
Removed [time] tag, example in "Build your own tags".
Email now allows names with & sign
Now every message that is passed to do_all_ubbc() gets escaped before being returned if script_escape is Enabled.
All tags in %AUBBC_TAGS will only convert if lowercase.
"new" now uses the most standard referenced object method.
Removed DOS_prevent() method, since the script has been tested more and was causing a timing problem.
Removed [cd]#code[/cd] code tag, which had no code_class or code_extra.
Commented bad_pattern check for [email] tags, this security check is not needed because the next line will take care of all email tag security.
9) Fully customizable settings.
The advantage of using this BBcode is to have the piece of mind of using a secure program,
to restrict the usage of HTML/XHTML elements and to make formatting of posts easy to people that have no HTML/XHTML skill.
Most sites that use these tags show a list of them and/or easy way to insert the tags to the form field by the user.
The [c] or code tags can highlight Perl code, highlighting the Perl code with CSS in HTML/XHTML,
and in the examples folder the tag_list.cgi file has a CSS code you could work from and now a setting to change to a costume highlighter function.
This module addresses many security issues the BBcode tags may have mainly cross site script also known as XSS.
Each message is escaped before it gets returned if script_escape is Enabled and checked for many types of security problems before that tag converts to HTML/XHTML.
The script_escape setting and method also converts the ' sign so the text can be stored in a SQL back-end.
Most of the free web portals use the | sign as the delimiter for the flat file database, the script_escape setting and method also converts that sign so the structure of the database is retained.
Allows easy conversion to HTML and XHTML, existing tags will convert to the HTML type set.
If there isn't a popular tag available this module provides a method to "Build your own tags" custom tags can help link to parts of the current web page, other web pages and add other HTML elements.
=head1 Security
Security advice to ensure the proper usage of this module.
=head2 Database Manipulation
The default settings of AUBBC.pm is not good for most forums, blogs, wiki's and bulletin boards
because by default AUBBC should work and be secure. The other reason is these programs will want some
of the user input editable and portable.
For editing and portability purposes you would want to retain the tags or user input as they typed it,
but always use the script_escape before saving to a back-end. This will allow you to change the settings
of AUBBC on the fly so the tags remain portable to setting changes.
The script_escape filter is vital to security for many reasons and provides a standard format for other
methods of AUBBC. There is a file in the examples folder called Database_Manipulation.pm that try's to explain what settings
to change and how to stay safe.
=head2 Mixing HTML and BBcode
Since the script_escape method will disable HTML and JavaScript, I came up with a way
to mix the two. The recommended use of mixing is for Administrator's of the program only,
because giving anyone the ability to post unfiltered codes is just wrong.
The mixing method is good for themes, information pages and wiki's just to name a few.
for some tags when script_escape is disabled you can just run do_all_ubbc on variables with HTML mixed
with BBcode and it will work because those tags didn't need the script_escape method to make them work,
but for other tags the script_escape method is needed.
So this is where my solution comes in.
see Mixing_HTML_and_BBcode.pm file in the examples folder
=head2 Build your own tags
When adding a custom tag you will have to remember that the methods for building
custom tags try's to secure the tags. But it can not be 100% secure without
the developer of the tag knowing if and what security issues the new tag may have.
The adding method restricts characters from being used in some variables of
the tags, like name and pattern.
See the other "Build your own tags" for usage
=head2 XSS protection and settings
The script_escape filter will disable XSS so the text of the code can be seen in
HTML/XHTML and the XSS code will not work in anyway.
Some parts use standard requirements allowing only these linking path formats:
protocal://location/web/path/or/file
/local/web/path/or/file
There are some uncontrollable security issues with allowing images [img] and link [url] auto-link tags,
you can disable [img] tags by setting "no_img => 1," to 1 as shown.
Security issues with the [url] and auto-link tags is not as bad since you have to click it to
get to the risky web site, unlike an image loading.
#nosmileys
=head2 for_links
Enable or Disable Tags for Links Default 0 is Disable, 1 is Enabled.
Some AUBBC Tags are not good to use in a link like other links.
If Enabled will only use the UTF and Smiley tags.
=head2 aubbc_escape
Enable or Disable AUBBC Tag Escape Default 1 is Enabled, 0 is Disable.
Escaping a Tag:
[b]Stuff[/b] # Normal Tag Bold
[b]]Stuff[/b]] # Escaped Tag Bold
[[b]Stuff[[/b] # Escaped Tag Bold
[[b]]Stuff[[/b]] # Escaped Tag Bold
Default is 1 Enabled and the only other setting is 0 to Disable.
This setting finds all the & that need to covert to the amp; html code name
so the w3c xhtml validation checks ok.
=head2 line_break
Enable line_break "<br>\n" Default 1 , 2 is for the "<br>" older style
that has no new line, 0 is Disable.
This will turn any new line \n to the HTML line break <br>\n or <br> by the script_escape method and the other way around
with the html_to_text method.
=head2 code_class
Default is '' and this allows a custom class, style and/or JavaScript to be used in any of the [code] [c] tags.
must have a space before the text.
example:
=head2 quote_extra
Default is '' and this is for a custom message, code, image, est.. to be used after a [quote] tags.
example:
quote_extra => 'QUOTES AND SAYINGS DISPLAYED ON THIS BLOG ARE NOT WRITTEN BY THE AUTHOR OF THE BLOG.',
quote_extra => '<div style="clear: left"> </div>',
=head2 script_escape
This will turn on or off the sanitizer/escape security for the hole message.
Default is 1 on and 0 for Disable.
Notes: 1)The code highlighter works best with an escaped character format like the
script_escape => 1 setting can provide.
2) If this setting is disabled and a character escaping method or security filter is not used
can result is a security compromise of the AUBBC tags.
3) if Disabled the method "$message = $aubbc->script_escape($message);" can be used on the message as needed before do_all_ubbc() is called.
=head2 protect_email
Default is 1 and other possible values are (0, 2, 3, 4).
Can add a protection to hide emails in the [email] tag from email harvesters.
Not 100% fool proof.
}
else {
return 'Works Good 2';
}
}
sub get_some_tag {
my ($tag_name, $text_from_AUBBC) = @_;
$tag_name = lc($tag_name);
$text_from_AUBBC = $ENV{'REMOTE_ADDR'} if ($tag_name eq 'ip');
$text_from_AUBBC = $aubbc->script_escape($ENV{'HTTP_USER_AGENT'}) if ($tag_name eq 'agent');
return $text_from_AUBBC;
}
1;
=head2 $aubbc->remove_build_tag($name, $option);
There are two ways to use this.
1) Remove a single built tag: $aubbc->remove_build_tag($name);
Fixed - under the code tag in do_ubbc line " $do_f[8] = '' if $do_f[8]; "
should have been $do_f[9] = '' if $do_f[9];
v4.01 - 11/08/2010
Fixed - Bug that converts the true text typed to the HTML code name.
All parts of the module where effected by this bug, in the code tag if the
author ment & #59 ; it would show ; . This also caused a long standing bug with
typing any HTML code name and saving it to a backend.
this fix removes the HTML code name regex in do_unicode and had to add/move two
filters in "script_escape to conver the & to an amp and ; to #59;" and
"html_to_text to conver amp to & and #59 to ;". This fix also helped in allowing
the regex's for highlighting subroutines to be made.
Fixed - had to add a null byte marker to escape_aubbc so the code tag's
highlighter can detect the escaped character and change it back. In do_all_ubbc
All markers get removed before the message is returned because FireFox can see
the null bytes as an error.
Addition - Perl subroutine highlighting for the code tag highlighter. Had a
problem making this till this version because a HTML code name can look like
&TheName; and a Perl subroutine looked the same till ; got converted.
Addition - AUBBC::make_image($align,$src,$width,$height,$alt) this is useful enough
to mention once.
v3.13 - 09/30/2010
Addition - do_ubbc New built-in tag [list][*=1]... [*]... [/list], This will
follow XHTML or HTML Transitional element style and XHTML or HTML Strict will not
support the elements that tag [*=1] in the [list] will produce
(use the other enumerated List Block tags for XHTML or HTML Strict).
Addition - do_ubbc New built-in tag [em]Hello[/em]
Addition - New value for setting line_break 2 for old <br style. This effects script_escape.
Addition - This module now uses Memoize for a massive speed improvement.
If you thought it was fast before, I hope your sitting down when you bench this version. LOL
Addition - added setting highlight_function to replace the highlighting method
of AUBBC with a costume one.
Fixed - in do_ubbc the line breaks was invalidating HTML for List Block elements
Improvement - in do_all_ubbc changed defining $msg each time. there could have
Improvement - Massive speed improvement to the hole module and no features lost.
changed new for faster loading, the module uses vars for some variables,
re-spaced the hole code.
v2.10 - 08/31/2010 11:17:13
Addition - adding type 4 to add_build_tag this will use style 3 but will work
different then the other built functions. Type 4 will print the text defined in
function and not point to a defined Perl subroutine.
Addition - added line_break setting to have control over the script_escape and
html_to_text methods converting html line break <br> and new line \n
Addition - added fix_amp this setting finds all the & that need to covert to the amp; html code name
so the w3c xhtml validation checks ok.
Addition - added no_img this setting will allow some control for using [img] tags
for security reasons
Fixed - bug in settings_prep when a setting gets changed html_type could change
Improvement - in do_unicode removed then changed the two regexs to do a 3 in 1 filter.
Improvement - in html_to_text added a code to fix a <br> bug if ppl use html or xhtml line break.
Improvement - moved the pattern building code from do_build_tag to add_build_tag
so it only runs one time
Improvement - in add_build_tag using a hash array to store the build tag data so
there is no need to use split in do_build_tag
Improvement - in do_all_ubbc moved script_escape to a location where one call
to the function is needed
Improvement - in do_all_ubbc added check for undefined "$message" variable
Improvement - in script_escape added check for undefined "$text" variable
Improvement - in html_to_text added check for undefined "$html" variable
Improvement - in escape_aubbc converting the brackets one time with the html
code name so the filter will only need to run one time in do_all_ubbc. This
also fixes one bug in escape_aubbc
Removed - In script_escape removed the \cM regex, it is very rare that anyone will need
it so it wont be missed.
v2.0 - 10/07/2008 13:52:11
Fixed single tag [name] for build tags
Changed the regex in plain URL's
Removed bad patter setting and now using a more standard way to detect bad image tags
Changed add_build_tag() to use hash variable, see "Build your own tags" for the new style.
Changed the way functions should work for built tags, the custom function for built tags will receive the tag name and data of the tag. This is so one function can handle many tags.
Removed other site tags and setting other_sites_pattern, an example of them are in "Build your own tags"
Removed [time] tag, example in "Build your own tags".
Email now allows names with & sign
Now every message that is passed to do_all_ubbc() gets escaped before being returned if script_escape is Enabled.
All tags in %AUBBC_TAGS will only convert if lowercase.
"new" now uses the most standard referenced object method.
Removed DOS_prevent() method, since the script has been tested more and was causing a timing problem.
Removed [cd]#code[/cd] code tag, which had no code_class or code_extra.
Commented bad_pattern check for [email] tags, this security check is not needed because the next line will take care of all email tag security.
examples/Database_Manipulation.cgi view on Meta::CPAN
edited later.
Other settings may effect the message output also.
=cut
# Start the module
use AUBBC;
my $aubbc = new AUBBC;
# script_escape will need to be disabled in the settings method and
# this will tell the do_all_ubbc method not to use script_escape!
#
# other settings can be changed here if needed.
$aubbc->settings(
script_escape => 0,
);
# Build your own tags can be added, est......
# This will be the data or users input from a HTML form to save to a backend.
# The message will have some characters that would normaly brake some database
# structures, cause risky errors or be html.
my $message = <<FORM;
[b]Work[/b]
<i>This will not work</i>
Brake the database |||| ''''''''''' """"""
FORM
sub saving_data {
# This is to show how to save the user input safely to your backend
# you will need to use a module like CGI or what ever is out there
# to recive the HTML form data lets say the data is in $message
# Befor the data can be saved you will have to use the script_escape method on $message
$message = $aubbc->script_escape($message);
# Then save $message to your database, extra security methods maybe required or desired
# depending on the type of backend used.......
}
sub editing_data {
# This will be a two part subroutine. This first one will get the message from
# the backend and display the data in a HTML form to be edited lets say its
# in variable $form_data
examples/Database_Manipulation.cgi view on Meta::CPAN
# Now $form_data can be printed in the form feild
# When the HTML form is submitted we fictitiously sent the edited data to editing_data2
# of this file to be saved
}
sub editing_data2 {
# Part 2 of editing data, you will need to use a module like CGI or what ever is out there
# to recive the HTML form data
# Before the HTML form data can be saved you will have to use the script_escape
# method on the variable that holds the HTML form data lets say its $message2
$message2 = $aubbc->script_escape($message2);
# Then save it to your database, extra security methods maybe required or desired
# depending on the type of backend used.......
}
sub display_data {
# Get the data from the backend lets say we did that and its in $message3
# use do_all_ubbc on $message3 and now $message3 is ready to be printed in HTML.
$message3 = $aubbc->do_all_ubbc($message3);
examples/Mixing_HTML_and_BBcode.cgi view on Meta::CPAN
edited later.
Other settings may effect the message output also.
=cut
# Start the module
use AUBBC;
my $aubbc = new AUBBC;
# script_escape will need to be disabled in the settings method and
# this will tell the do_all_ubbc method not to use script_escape!
#
# other settings can be changed here if needed.
$aubbc->settings(
script_escape => 0,
);
# Build your own tags can be added, est......
# This will be the data or Administrator input from a HTML form to save to a backend.
# The message will have some BBcode mixed in HTML and a home made tage for full
# AUBBC support is <aubbc> Full AUBBC support </aubbc>
my $message = <<HTML;
<i>This will work</i> [i]This will work[/i]
examples/Mixing_HTML_and_BBcode.cgi view on Meta::CPAN
[email]safe\@email.com[/email]
</aubbc>
HTML
sub saving_data {
# This is to show how to save the user input safely to your backend
# you will need to use a module like CGI or what ever is out there
# to recive the HTML form data lets say the data is in $message
# Befor the data can be saved you will have to use the script_escape method on $message
# But not on the hole $message, so I use this filter to get the <aubbc> tag
$message =~ s/(<aubbc>(?s)(.*?)<\/aubbc>)/
my $ret = $aubbc->script_escape( $2 );
$ret ? '<aubbc>'.$ret."<\/aubbc>" : $1;
/exg;
# Then save $message to your database, extra security methods maybe required or desired
# depending on the type of backend used.......
}
sub editing_data {
# This will be a two part subroutine. This first one will get the message from
# the backend and display the data in a HTML form to be edited lets say its
# in variable $form_data
# Since this gets into sandboxing the script_escape method you may want
# to play with settings for other view's or can skip the form feilds sandboxing
# the option 1 for script_escape is needed to not convert spaces, tab's, new lines
$form_data =~ s/(<aubbc>(?s)(.*?)<\/aubbc>)/
my $ret = $aubbc->html_to_text( $2 );
$ret ? '<aubbc>'.$ret."<\/aubbc>" : $1;
/exg;
$form_data = $aubbc->script_escape( $form_data, 1 );
# Now $form_data can be printed in the form feild
# When the HTML form is submitted we fictitiously sent the edited data to editing_data2
# of this file to be saved
}
sub editing_data2 {
# Part 2 of editing data, you will need to use a module like CGI or what ever is out there
# to recive the HTML form data
# Before the HTML form data can be saved you will have to use the script_escape
# method with the regex on the variable that holds the HTML form data lets say its $message2
$message2 =~ s/(<aubbc>(?s)(.*?)<\/aubbc>)/
my $ret = $aubbc->script_escape( $2 );
$ret ? '<aubbc>'.$ret."<\/aubbc>" : $1;
/exg;
# Then save it to your database, extra security methods maybe required or desired
# depending on the type of backend used.......
}
sub display_data {
# Get the data from the backend lets say we did that and its in $message3
( run in 1.237 second using v1.01-cache-2.11-cpan-c21f80fb71c )