The medichan script (29)

1 Name: Anonymous : 2007-10-05 01:10 ID:+VE3ze3C [Del]

I've been quietly working on the script behind the site http://medichan.org/
The only reason I wrote it originally was because the free host I switched to after having no reason to pay $120 for a year of Dreamhost doesn't support Perl or MySQL. It uses only flat files and runs fairly well. I have some improvements to make before releasing the source code, but what do you think? It's kind of a mix between a text board like kareha and a very simple web forum.

2 Name: Anonymous : 2007-10-05 05:08 ID:Heaven [Del]

And it's written in....?

3 Name: Anonymous : 2007-10-05 06:39 ID:Heaven [Del]

It doesn't show a summary of recent discussion on the front page, and is therefore as uselessly user-unfriendly as all other phpBB-style forums.

4 Name: Eleo : 2007-10-05 13:26 ID:DyErdV89 [Del]

>>2
I'm guessing PHP since I see .php file extensions.

>>1
It's not bad.

5 Name: Anonymous : 2007-10-06 19:25 ID:5Ny5SW/k [Del]

I posted on Medichan a while back telling you how good it was. I enjoy it.

6 Post deleted by moderator.

7 Post deleted by moderator.

8 Post deleted by moderator.

9 Post deleted by moderator.

10 Name: Anonymous : 2007-10-07 14:08 ID:Heaven [Del]

>>6
>>7
>>8
>>9
uh oh, somebody's got a wet diapey.

11 Name: Anonymous : 2007-10-08 06:23 ID:uVOYJQcm [Del]

i love how you use .htm extensions.

12 Name: Anonymous : 2007-10-13 16:20 ID:Icmdjfjr [Del]

>>1

http://validator.w3.org/check?uri=http%3A%2F%2Fmedichan.org%2Fmed.php%3Fact%3Dread%26id%3D1191803910634&charset=%28detect+automatically%29&doctype=Inline&group=0
also you have the worst getCookie() function I've seen yet

also your bbcode script allows javascript URLs and is therefore xss-exploitable

13 Name: Anonymous : 2007-10-13 18:11 ID:Heaven [Del]

also bbcode is an amazingly dumb concept in the first place. if you're going to allow some sort of tag-based syntax just parse html and strip out unsafe tags.

14 Name: !WAHa.06x36 : 2007-10-14 04:23 ID:Heaven [Del]

>>13

A better concept is to parse HTML and only allow safe ones. Well, that's probably what you meant but it's better to be explicit about this stuff.

15 Name: Anonymous : 2007-10-14 14:41 ID:Heaven [Del]

>>13-14
it's probably worth saying that parsing HTML may be more difficult than it initially appears to be.

16 Name: !WAHa.06x36 : 2007-10-14 16:20 ID:p6gwmrtN [Del]

>>15

Not really, since you're parsing a subset. As long as you make sure to render anything you don't understand harmless, it's fairly easy.

17 Name: Anonymous : 2007-10-14 18:53 ID:Heaven [Del]

>>16





18 Name: Anonymous : 2007-10-14 18:56 ID:Heaven [Del]

>>16





19 Name: Anonymous : 2007-10-14 23:45 ID:Heaven [Del]

>>17-18
Failure.

20 Name: Anonymous : 2007-10-15 04:48 ID:Heaven [Del]

>>19
ctrl-c ctrl-v any of those lines into a post here to see real failure.

21 Name: !WAHa.06x36 : 2007-10-15 05:16 ID:Heaven [Del]

>>17-18

That has more to do with XHTML and entities than with parsing HTML, though.

22 Name: Anonymous : 2007-10-16 18:40 ID:ZLjJEu85 [Del]

What ever happened to that imageboard software you were making?

23 Name: Anonymous : 2007-10-19 18:33 ID:Heaven [Del]

>>13

well, I like [url] a lot more than <a href="">, although bbcode has no way to escape []

24 Name: Anonymous : 2007-10-19 22:07 ID:Heaven [Del]

>>23
But how do you do something like this:
<a href="http://www.monkey.com/">pickles</a>
[url=http://www.monkey.com/]pickles[/url]

It's no different conceptually, but forces people to learn a new syntax. The [url]http://www.monkey.com/[/url] is massively redundant; if you want autolinked addresses, a decent regex can pick them out easily, and simply typing the url is much more intuitive than writing some clumsy [url] thing around it.

25 Name: Anonymous : 2007-10-23 17:09 ID:Heaven [Del]

Thanks for the suggestions I'll update it with some stuff written in... if I make it parse HTML it won't be "actual" HTML. I can allow "<b>text</b>" to pass through as normal but stripping junk out of "<b class="stupidclass">text</b>" might be too much of a pain to bother with.

26 Name: Anonymous : 2007-10-27 11:03 ID:Heaven [Del]

>>25
No, it's not. Just take a look at the implementation in wakautils.pl. Learn from it; understand it.

27 Name: Anonymous : 2007-11-02 00:10 ID:Heaven [Del]

>>26
I don't know perl that well.
Also, update - the script has been released in a preliminary version due to request.

28 Name: Anonymous : 2008-01-15 12:57 ID:Heaven [Del]

29 Name: Anonymous : 2008-01-15 12:58 ID:Heaven [Del]

Name: Link:
Leave these fields empty (spam trap):
More options...
Verification: