Forum Search MyCode
#1
This will urge your members to use the forum search. I think it would be extremely useful on support/tutorial type sites, but can be used on any kind of MyBB Forum.

Regular Expression:
\[search\](.*?)\[/search\]

Replacement:
<div style="width: 320px;">
<fieldset><legend class="largetext">Did you search?</legend>
<form method="post" action="search.php" style="margin: 1px;"> 
        <input type="text" class="textbox"  name="keywords" value="$1" size="30" style="width: 230px; height: 18px;" /><input type="submit" class="button" name="submit" value="Search" /> <input type="hidden" name="action" value="do_search" /><input type="hidden" name="postthread" value="1" checked="checked" /> 
	<input type="hidden" name="showresults" value="threads" checked="checked" /> 
                </form>
</fieldset>
</div>

Useage:
[search]Your Search Query Goes Here[/search]

Example:
[search]adding a new mycode[/search]

Screenshot:
   
Reply
#2
.*? as usual is unsafe. It allows users to inject HTML/Javascript.
Reply
#3
That's correct, wouldn't be dangerous if you use this: http://mybbhacks.zingaburga.com/showthread.php?tid=269
Reply
#4
Then why is mybb using it as a default method of adding mycodes?
Reply
#5
Because it's perfectly valid. It's just not safe to use when you're writing user data within a HTML tag.

Instead of:
\[search\](.*?)\[/search\]
you should use:
\[search\]([\w\s]*?)\[/search\]
that allows letters (digits) and whitespace. If really need to allow other characters, use:
\[search\]([^"]*?)\[/search\]
that allows anything but "
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)