Do not output script links because some people clearly can't handle it

[LJ1102]

Updates BB encoder to not output script links: http://www.pouet.net/prod.php?which=68660

[cxw42]

LJ, this doesn't appear to strip leading whitespace - see test case which this PR will hopefully neutralize. That is, a URL of " javascript:..." doesn't look like it would be matched by the substr(...,0,11) in bbencode_url_cb().

In eeaa8fe bbencode(), should the regex be, for example,

/\[url=\s*+(.*?)\](.*?)\[\/url\]/si
       ^^^^

to make sure javascript always starts at position 0 in $matches[1]? (And likewise for the other regexes in bbencode().)

This is a comment rather than a patch because I have never spent any quality time with this codebase, so as far as I know whitespace may already be handled somewhere else. :)

[Gargaj]

To quote a classic, "why don't we just take all the warning labels off, and let the problem solve itself"? Pouet is supposed to be for people who are highly computer savvy. I'm not gonna block script use just because a bunch of people click everything they can see.

[esaruoho]

should this PR be kept open, or closed? @Gargaj

[LJ1102]

You can always reopen it when the next XSS attack reeks havoc :P

Am So., 1. Dez. 2019 um 01:01 Uhr schrieb Esa Juhani Ruoho < [email protected]>:

should this PR be kept open, or closed? @Gargaj https://github.com/Gargaj

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/pouetnet/pouet2.0/pull/70?email_source=notifications&email_token=AALTSJWML4B4QZ6FMVZGHYLQWL5G7A5CNFSM4C5KIWCKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEFQWQEY#issuecomment-560031763, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALTSJUGBC7J7WMVNBS4HW3QWL5G7ANCNFSM4C5KIWCA .

-- making pixels dance