为什么我应该在评论表单中使用BBCode而不是HTML? [英] Why should I use BBCode but not HTML in comment forms?
问题描述
我正在用PHP编写评论解析函数。
由于BBCode不是真正的标记语言,我从来不喜欢写作风格。
因此,我让访问者能够在评论表单中使用基本HTML代码。
发布时,PHP将检查不允许的和无效的标记/属性,并替换或删除它们。
我相信它的工作和输出与BBCode完全一样。
如果这是真的,为什么有BBCode? BBcode与HTML有什么优势?
更新
为单色回答
如果您确信您的HTML过滤器足够安全,您应该没问题
好吧,我对自己编写过滤器没有信心,但是有一些评分最高的过滤器,比如PHP Simple HTML DOM Parser,HTML Purifier,htmLawed ...
BBCode由UBB开发,目前仍在广泛使用,如phpBB。
UBB / phpBB的开发人员对他们的技能没有信心写一个完美的HTML过滤器? (我猜不是)
另外,就像StackOverflow使用的Markdown一样...如果HTML + Parser完成这项工作,为什么还要创造另一种语言? (除了保存几位...)
主要优点是防止不需要的代码注入。这就是为什么我会使用BBCode或Markdown之类的东西。
至少您应该使用允许的HTML标签的白名单,而不是将其列入黑名单。
I'm writing a comment parsing function in PHP.
Since BBCode is not a real markup language, I'v never liked the writing style.
So I'm giving visitors the ability to use basic HTML code in comment forms.
And when posting, PHP will check for disallowed and invalid tags/attributes, and either replace or remove them.
I believe it does the same job and output exactly the same as with BBCode.
If this is true, why are there BBCode? Does BBcode have any advantages over HTML?
update
as monochrome answered
If you're confident that your HTML filter is safe enough, you should be fine though
well, I'm not confident writing the filter myself, but there are some top-rated filters out there like PHP Simple HTML DOM Parser, HTML Purifier, htmLawed...
The BBCode is developed by UBB and still being widely used, such as phpBB.
Are the developers from UBB/phpBB not confident about their skills to write a perfect HTML filter? (I guess not)
Also, like the Markdown that StackOverflow's using...if HTML+Parser does the job, why invent another "language" anyway? (except for saving a few bits...)
It's main advantage is the prevention of unwanted code injections. That's why I would use something like BBCode or Markdown.
At least you should work with a White-List of allowed HTML-Tags and not with blacklisting.
这篇关于为什么我应该在评论表单中使用BBCode而不是HTML?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
