MyBB Community Forums

Hello, I'm new to MyBB and have one quick question. In other forums, I've been able to allow members to post javascript charts (that board required "Full HTML" box to be checked at time of posting vs std. default "Filtered HTML" for the following post to display properly. Here's a sample code:

<script type="text/javascript">var bfcParams = 'Symbol=VIX--X,TimeFrame=1-Day,NumberOfBars=134,WebChartID=274f746f-2a2d-4e62-a11a-fb9531e600c0';var bfcWidth = '600';var bfcHeight = '500';</script><script type="text/javascript" src="http://www.freestockcharts.com/script/bfcEmbeddedChart.js"></script>

Does anyone know how I can get a chart like this to be able to be displayed correctly in my forum?

Thanks in advance,
Greg

You'd need a modification, allowing javascript to be posted isn't something MyBB includes. If I remember correctly even allowing HTML in forums filters the <script> tag for security.

(2010-02-28, 08:34 PM)MattRogowski Wrote: [ -> ]You'd need a modification, allowing javascript to be posted isn't something MyBB includes. If I remember correctly even allowing HTML in forums filters the <script> tag for security.

Thank you Matt for the quick response. Can you explain in detail if and how it can be done?

I would not allow any JavaScript in forum posts because people will be able to call all sort of things such as PHP scripts, HTML files, etc. I am not sure how you allow JavaScript in posts but I believe their is a free plugin that allows HTML to be posted, maybe look at the source and apply that for JavaScript?

If that's the only Javascript you need, you're probably better off making a custom MyCode for it. Note that the MyCode can probably actually look like the script tag you posted above, but I'm unsure what effort is required to get it working (haven't checked where MyBB sanitizes what).

I need this too... bump!

I would make this, but need more info. This is really insecure from what you guys have said, allowing anyone to post javascript can be dangerous for your users as it is a client side script.

This is extremely dangerous, but if you really need it, just create some MyCodes:

Title

Inline JavaScript

Regular Expression

\[javascript\](.*?)\[/javascript\]

Replacement

<script type="text/javascript">$1</script>

Example

Quote:[javascript]alert("JavaScript");[/javascript]

---

Title

External JavaScript

Regular Expression

\[javascript=(.*?)\]

Replacement

<script type="text/javascript" src="$1"></script>

Example

Quote:[javascript=http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.js]

---

Then you (and your users!!!) are able to post the following:

Quote:[javascript]
var bfcParams = 'Symbol=VIX--X,TimeFrame=1-Day,NumberOfBars=134,WebChartID=274f746f-2a2d-4e62-a11a-fb9531e600c0';
var bfcWidth = '600';
var bfcHeight = '500';
[/javascript]

[javascript=http://www.freestockcharts.com/script/bfcEmbeddedChart.js]

Yes, but that is very dangerous. Would be better to have it specifically for that E.G. make it something like [chart]params=blabla height=500 width=500[/chart].

It would be harder to do something like that, but still possible.

If you know exactly what pieces are going to change you could create a mycode including all static (constant) portions and using variables for dynamic (changing) portions. I did this on one of my sites to allow recaptcha mailhide.

For example, if all the variables specified and external scripts are only allowed come from one trusted source, you could create a mycode for it. Using the portion listed at the beginning...

<script type="text/javascript">var bfcParams = 'Symbol=VIX--X,TimeFrame=1-Day,NumberOfBars=134,WebChartID=274f746f-2a2d-4e62-a11a-fb9531e600c0';var bfcWidth = '600';var bfcHeight = '500';</script><script type="text/javascript" src="http://www.freestockcharts.com/script/bfcEmbeddedChart.js"></script>

would then turn into

Title

freestockcharts.com Chart

Regular Expression

/[chart params=(.*?) width=(.*?) height=(.*?)/](.*?)/[\chart/]

Replacement

<script type="text/javascript">var bfcParams = $1;var bfcWidth = $2;var bfcHeight = $3;</script><script type="text/javascript" src="http://www.freestockcharts.com/script/$4"></script>

Example

[chart params='Symbol=VIX--X,TimeFrame=1-Day,NumberOfBars=134,WebChartID=274f746f-2a2d-4e62-a11a-fb9531e600c0' width='600' height='500']bfcEmbeddedChart.js[/chart]

This would ONLY work if the variables that need to be edited are always var bfcParams, var bfcWidth, var bfcHeight, and the file name of the external script. The variables must contain the entire text from them, including the single quotations (if there is no form of quotations, it may not be read correctly by either mybb or the browser), and the file name at the end would have to be strictly the file name, not the entire URL.
This was just generated on the spot, I haven't tested it to verify that it would work. If you're going to attempt to use it, test first - don't assume it will work I'm not 100% sure it will.
The reason the file name at the end is a file name and not the entire URL is for security. By including the domain and subdirectory in the replacement code instead of having members specify it, the code is made to only read scripts from that location (with that particular code).
If this code works (please test if you want to use it or me to modify it), I can very simply change the [chart][/chart] pieces to be something else (ie if there may be charts from more than one place to specify which source)