MyBB Community Forums

Hello,
I have found the following line in class_parser.php:
#\[url=([^\r\n\"<&\(\)]+?)\](.+?)\[/url\]#si

Now I have the question why it is disallowed here? I know, correct urls should match the previous regex (#\[url=([a-z]+?://)([^\r\n\"<]+?)\](.+?)\[/url\]#si), but still & is used very often in urls and if you forget http(s)://, your URL won't be matched.

My Questiona are:

1. What is this Regex for if all valid urls should match the one above?
   
2. What is the security-Problem with matching & in this regex?
   

Thanks in advance ...
Thomas

That does seem a bit odd. The & character is certainly an allowed character.

(2015-08-21, 08:40 AM)Euan T Wrote: [ -> ]That does seem a bit odd. The & character is certainly an allowed character.

Not for the url_complex2 which supports the non http(s)://

https://github.com/mybb/mybb/blob/featur...r.php#L310

Ah yes, true. The whole parser is really a mess in 1.0, the 2.0 overhaul should improve it a god deal.

Will it use actual parsing or will it be the same regex mess?
Just wondering since you guys are going with the whole framework thing so might as well use a real parser.

(2015-08-21, 11:11 AM)Rakes Wrote: [ -> ]Will it use actual parsing or will it be the same regex mess?
Just wondering since you guys are going with the whole framework thing so might as well use a real parser.

Not decided yet, but I'd like to use an actual parser. At the minute, parsed posts are also cached, which saves quite a lot of processing.

Thanks for all this answering! OK, My question is answered.

Thanks,
Thomas131

P.S.:I don't find the button, to mark this thread as solved ...

test1
test2
test3

This should definitely be fixed, not sure why it wasn't moved to bug reports.

so what s happening with this? Do i need a manual change?
what do i need to do to allow the "&" in the myCode?

http://community.mybb.com/thread-185099-...pid1193136

Do you have an actual and valid example that doesn't work with the URL mycode?