BBCode introduction
As the name implied Bulletin Board Code or BBCode are extensively used in Blogs and Bulletin Boards to accept user posts and comments. BBCode is special language to define HTML. Unlike HTML here tags are started with a '[' symbol and ended by ']' symbol. So in BBCode a bold text is represented as [b]This is bold text[/b]. Few commonly used BBCode and their HTML equivalents are given below.
| Elements | HTML | BBCode |
| Bold | <b>This is bold text</b> | [b]This is bold text[/b] |
| Italic | <i>This is italic text</i> | [i]This is italic text[/i] |
| Underline | <u>underline text</u> | [u]underline text[/u] |
| Strikethrough | <s>Strikethrough</s> | [s]Strikethrough[/s] |
| Subscript | <sub>Subscript</sub> | [sub]Subscript[/sub] |
| Superscript | <sup>Superscript</sup> | [sup]Superscript[/sup] |
| Image | <img src="URL" /> | [img]URL[/img] |
| List | <ul>List</ul> | [ul]List[/ul] |
| Ordered List | <ol>List</ol> | [ol]List[/ol] |
| Link | <a href="URL">Anchor text</sup> | [url]URL[/url] Or [url=URL]Anchor text[/url] |
Why BBCode?
In popular Bulletin Boards or Blogs user posts or comments are automatically published before any moderation by the board administrator. In such boards allowing user to post their HTML code will cause following problems.
- User may input a non-terminated division element which may cause to destroy the entire page structure.
- Bad users can input new style definition.
- But the most serious threat is the external JavaScript input which may,
-lead to XSS attacks;
-redirect viewers to a potentially dangerous page of different server.
To remove those threats webmasters have the following options.
- Moderate user posts before they publish; but this will discourage the users in using the board.
- Filter out any undue tag from user inputs by automated software.
- But the most effective solution is to use BBCode editor to accept user inputs.
BBCode effectively removes those threats and gives a harmless HTML output.
How BBCode works?
Web browsers can't read or decode BBCode tags. They read them as plain text. It is the webmaster's responsibility to convert the BBCode into their HTML equivalent before they downloaded by the browser. Webmasters do it by automated software. So here the programmers or webmasters have the opportunity to filter out all HTML tags, or convert them into their text equivalent before the BBCode to HTML conversion. In this way BBCode prevents the threat of HTML input.
