I've been quietly working on the script behind the site http://medichan.org/
The only reason I wrote it originally was because the free host I switched to after having no reason to pay $120 for a year of Dreamhost doesn't support Perl or MySQL. It uses only flat files and runs fairly well. I have some improvements to make before releasing the source code, but what do you think? It's kind of a mix between a text board like kareha and a very simple web forum.
It doesn't show a summary of recent discussion on the front page, and is therefore as uselessly user-unfriendly as all other phpBB-style forums.
I posted on Medichan a while back telling you how good it was. I enjoy it.
i love how you use .htm extensions.
http://validator.w3.org/check?uri=http%3A%2F%2Fmedichan.org%2Fmed.php%3Fact%3Dread%26id%3D1191803910634&charset=%28detect+automatically%29&doctype=Inline&group=0
also you have the worst getCookie() function I've seen yet
also your bbcode script allows javascript URLs and is therefore xss-exploitable
also bbcode is an amazingly dumb concept in the first place. if you're going to allow some sort of tag-based syntax just parse html and strip out unsafe tags.
A better concept is to parse HTML and only allow safe ones. Well, that's probably what you meant but it's better to be explicit about this stuff.
Not really, since you're parsing a subset. As long as you make sure to render anything you don't understand harmless, it's fairly easy.
>>19
ctrl-c ctrl-v any of those lines into a post here to see real failure.
That has more to do with XHTML and entities than with parsing HTML, though.
What ever happened to that imageboard software you were making?
well, I like [url] a lot more than <a href="">, although bbcode has no way to escape []
Thanks for the suggestions I'll update it with some stuff written in... if I make it parse HTML it won't be "actual" HTML. I can allow "<b>text</b>" to pass through as normal but stripping junk out of "<b class="stupidclass">text</b>" might be too much of a pain to bother with.
>>25
No, it's not. Just take a look at the implementation in wakautils.pl. Learn from it; understand it.