How to call js from BBcode?

bloodchen

Hi,

I am trying to call a js function from BBcode. Example code below:

 $config->BBCodes->addCustom(
                '[nbdl payto={TEXT1} amount={NUMBER1}][/nbdl]',
                '<a target="_blank" href="#" onclick="console.log({TEXT1},{NUMBER1});return false;"></a>'
            );

But it then generates an error:

Attribute 'payto' is not properly sanitized to be used in this context

I understand it is a security issue to use the user input in the js code. But is there a way to sanitize the user input to make it doable?

Thanks

010101

bloodchen I’ve made a lot of BBCodes for Flarum. But, I am not aware of a way to bypass this. I think the code/library that powers the BBCode (s9e) has these built in security features.

However, you can create a BBCode that creates an element with a certain CSS class and then have JavaScript in your head or footer that targets that class.

That may not be your goal. But, the point is you can create BBCode that also use CSS and JavaScript.

bloodchen

010101 Thanks. Your suggestion is helpful. I think it’s a workaround to archive my goal.

clarkwinkelmann

Ideally, you could insert the data as data- attributes, which I think TextFormatter will allow and auto-escape, then use the javascript extension API to add a click handler on document that will react to clicks on targets matching your link. The attributes can then be read from event.target.dataset.

There are probably more advanced solutions around templates if you really need inline javascript, but it's not something I've ever done either. If you haven't already, you can check the TextFormatter documentation https://s9etextformatter.readthedocs.io/Templating/Template_security/

In general, we are currently trying to remove all inline javascript from the formatter because it's a deal breaker for implementing a proper Content Security Policy so we'd recommend extensions to avoid all inline javascript as well.