#BBCode is more than two decades old and it made perfect sense back when it was introduced. It was somewhat of “HTML light” because at the time safely enforcing only a subset of HTML was very complicated. In 2007 I still witnessed MySpace fail at it, repeatedly.
Now back to #BBCode. It being seemingly simple means that most implementations don’t bother with HTML sanitization. Instead, the expectation is that you run a bunch of regexps to produce HTML code and it will just be fine. Except that usually it’s not: https://jeffchannell.com/Other/bbcode-xss-howto.html
@hypolite Ehm, I know, I created that report. Now guess what the context of this thread is. 😉
So it’s all about custom markup? Out of the top of my head, a generic solution with Markdown would be adding some custom HTML tags. These can be processed independently of the Markdown processor, either before or after the processor runs (security-wise the former is preferable but might not be flexible enough).
@WPalant Thank you for taking the time to look at some Fediverse projects and their #security! I've never noticed you mention any such cases via this Mastodon account, so am using this opportunity. Now, when there're so many interconnected projects, there may be multiple security issues. All the help from Fediverse #infosec community is much appreciated! 👾
A Mastodon instance for info/cyber security-minded people.