BBob
BBob copied to clipboard
JiLiZART
⚡️Blazing fast js bbcode parser, that transforms and parses bbcode to AST with plugin support in pure javascript, no dependencies
[Vue warn]: Non-function value encountered for default slot. Prefer function slots for better performance. Reproduction: [link](https://codesandbox.io/p/sandbox/summer-dust-92dffd?layout=%257B%2522sidebarPanel%2522%253A%2522EXPLORER%2522%252C%2522rootPanelGroup%2522%253A%257B%2522direction%2522%253A%2522horizontal%2522%252C%2522contentType%2522%253A%2522UNKNOWN%2522%252C%2522type%2522%253A%2522PANEL_GROUP%2522%252C%2522id%2522%253A%2522ROOT_LAYOUT%2522%252C%2522panels%2522%253A%255B%257B%2522type%2522%253A%2522PANEL_GROUP%2522%252C%2522contentType%2522%253A%2522UNKNOWN%2522%252C%2522direction%2522%253A%2522vertical%2522%252C%2522id%2522%253A%2522clp598iz6000c2a6cf506uiro%2522%252C%2522sizes%2522%253A%255B70%252C30%255D%252C%2522panels%2522%253A%255B%257B%2522type%2522%253A%2522PANEL_GROUP%2522%252C%2522contentType%2522%253A%2522EDITOR%2522%252C%2522direction%2522%253A%2522horizontal%2522%252C%2522id%2522%253A%2522EDITOR%2522%252C%2522panels%2522%253A%255B%257B%2522type%2522%253A%2522PANEL%2522%252C%2522contentType%2522%253A%2522EDITOR%2522%252C%2522id%2522%253A%2522clp598iz600032a6chhywlciq%2522%257D%255D%252C%2522sizes%2522%253A%255B100%255D%257D%252C%257B%2522type%2522%253A%2522PANEL_GROUP%2522%252C%2522contentType%2522%253A%2522SHELLS%2522%252C%2522direction%2522%253A%2522horizontal%2522%252C%2522id%2522%253A%2522SHELLS%2522%252C%2522panels%2522%253A%255B%257B%2522type%2522%253A%2522PANEL%2522%252C%2522contentType%2522%253A%2522SHELLS%2522%252C%2522id%2522%253A%2522clp598iz600092a6cdn5gpci9%2522%257D%255D%252C%2522sizes%2522%253A%255B100%255D%257D%255D%257D%252C%257B%2522type%2522%253A%2522PANEL_GROUP%2522%252C%2522contentType%2522%253A%2522DEVTOOLS%2522%252C%2522direction%2522%253A%2522vertical%2522%252C%2522id%2522%253A%2522DEVTOOLS%2522%252C%2522panels%2522%253A%255B%257B%2522type%2522%253A%2522PANEL%2522%252C%2522contentType%2522%253A%2522DEVTOOLS%2522%252C%2522id%2522%253A%2522clp598iz6000b2a6cnr0qmefo%2522%257D%255D%252C%2522sizes%2522%253A%255B100%255D%257D%255D%252C%2522sizes%2522%253A%255B50%252C50%255D%257D%252C%2522tabbedPanels%2522%253A%257B%2522clp598iz600032a6chhywlciq%2522%253A%257B%2522id%2522%253A%2522clp598iz600032a6chhywlciq%2522%252C%2522activeTabId%2522%253A%2522clp59q1m300mp2a6by8jovgqf%2522%252C%2522tabs%2522%253A%255B%257B%2522type%2522%253A%2522FILE%2522%252C%2522filepath%2522%253A%2522%252Fapp.vue%2522%252C%2522id%2522%253A%2522clp59q1m300mp2a6by8jovgqf%2522%252C%2522mode%2522%253A%2522permanent%2522%252C%2522state%2522%253A%2522IDLE%2522%257D%255D%257D%252C%2522clp598iz6000b2a6cnr0qmefo%2522%253A%257B%2522tabs%2522%253A%255B%257B%2522id%2522%253A%2522clp598iz6000a2a6crf8s7vfx%2522%252C%2522mode%2522%253A%2522permanent%2522%252C%2522type%2522%253A%2522TASK_PORT%2522%252C%2522taskId%2522%253A%2522dev%2522%252C%2522port%2522%253A3000%252C%2522path%2522%253A%2522%252F%2522%257D%255D%252C%2522id%2522%253A%2522clp598iz6000b2a6cnr0qmefo%2522%252C%2522activeTabId%2522%253A%2522clp598iz6000a2a6crf8s7vfx%2522%257D%252C%2522clp598iz600092a6cdn5gpci9%2522%253A%257B%2522id%2522%253A%2522clp598iz600092a6cdn5gpci9%2522%252C%2522tabs%2522%253A%255B%257B%2522id%2522%253A%2522clp598iz600042a6cmdxk8e84%2522%252C%2522mode%2522%253A%2522permanent%2522%252C%2522type%2522%253A%2522TASK_LOG%2522%252C%2522taskId%2522%253A%2522build%2522%257D%252C%257B%2522id%2522%253A%2522clp598iz600052a6c3kvbet89%2522%252C%2522mode%2522%253A%2522permanent%2522%252C%2522type%2522%253A%2522TASK_LOG%2522%252C%2522taskId%2522%253A%2522dev%2522%257D%255D%252C%2522activeTabId%2522%253A%2522clp598iz600052a6c3kvbet89%2522%257D%257D%252C%2522showDevtools%2522%253Atrue%252C%2522showShells%2522%253Atrue%252C%2522showSidebar%2522%253Atrue%252C%2522sidebarPanelSize%2522%253A15%257D)
While possible a bad example, the following will produce corrupted data in AST: ```bbcode [url=javascript:alert('XSS ME');]TEXT[/url] [url=javascript:alert("XSS ME");]TEXT[/url] ``` This can already be seen in the HTML Render demo, that...
If "naively" creating custom tag mappings, you may run into this exception: ```text Uncaught RangeError: Maximum call stack size exceeded at Object.code (myHtml5Preset.ts:160:12) at myHtml5Preset.ts:72:72 at k8 (utils.js:7:33) ``` To...
If analyzed correctly, there is a subtle difference between `TagNode.content = null` and `TagNode.content = []`, that causes these code snippets to generate different representations of `TagNode`: https://github.com/JiLiZART/BBob/blob/3575982b280cc45c9cedaf7a059491a324c1b514/packages/bbob-preset-html5/src/defaultTags.js#L63-L67 https://github.com/JiLiZART/BBob/blob/3575982b280cc45c9cedaf7a059491a324c1b514/packages/bbob-plugin-helper/src/TagNode.js#L73 The...
https://github.com/JiLiZART/BBob/blob/3575982b280cc45c9cedaf7a059491a324c1b514/packages/bbob-plugin-helper/src/helpers.js#L77-L88 Without understanding the details, the description may benefit from some enhanced description (see below). Given my assumptions and tests are correct, I will refer to a possibly even dangerous...
https://github.com/JiLiZART/BBob/blob/3575982b280cc45c9cedaf7a059491a324c1b514/packages/bbob-plugin-helper/src/helpers.js#L28-L39 The name `escapeHTML` suggests, that the method may be used to sanitize text-content and get rid of probably malicious nested HTML in BBCode, like `[i]javascript:alert("XSS!"[/i]`. Unfortunately, the method has...
Despite `data:` and `javascript:` as well-known attack-vectors for XSS, the `file:` protocol may also cause malicious behavior. I think, it is rather safe (thus, backward-compatible) to also escape it here:...
Script injection is still very easy to achieve. As mentioned in https://github.com/JiLiZART/BBob/issues/66#issuecomment-653926541 you can inject JavaScript via `on*` attributes. `[aaa onclick=alert('Hacked')]Click Me[/aaa]` I don't think the solution is to blacklist...
Examples: ``` [tooltip message="this is a \\]message"]prevented[/tooltip] ``` ``` [tooltip message="this is \\[b\\]Text\\[/b\\] message"]prevented[/tooltip] ``` // Inconsistent tag '/tooltip'  Escaping standard nested tags works: ``` [u]start \\[s\\]Text\\[/s\\] end[/u] ```
Looking at the official definition of tags https://www.bbcode.org/reference.php the HTML5 preset is incomplete. Is there a plan to add the missing tags?
