Thread

When I name and describe my discussion board forums I have tried to include html formatting such as bold, italics, color changes etc. In the admin CP the board lists display this formatting just fine but for the end user on the actual forums the formatting does not occur. Topics show with their textual formatting i.e. <bold>General Discussion</bold> etc.

I have looked around for a toggle or something of the sort, and searched these forums for any relevant threads but havn’t found anything.

Is this just something I should not do in the EE Discussion Forums module? Or am I handling it incorrectly?

There’s the toggle for “allow all/safe html in post” found in the weblog preferences page.

I get there in Firefox by going to Publish Tab->Mouseover to get menu, “Edit Weblogs” entry->“Edit Preferences” for the weblog, and then the “Weblog Posting Preferences” menu link.

I tried allow all HTML in both weblog preferences and in the discussion forum preferences, but the end display of the forums still does not process the html.

Strangely, the html looks correct while viewing the CP. But not the forum itself. And just to clarify, its not actual post contents I’m looking at, its the names and descriptions of the various discussion boards themselves.

Something like:

Discussion Board
This board is for general topics of conversation.

is displayed as:

<b><i>Discussion Board</b></i>
<i>This board is for general topics of conversation.</i>

Oh. I would assume you wouldn’t want html in a name variable. Html should only be used in template code, otherwise the template engine is going to encode the delimiter characters to &lt; and &gt; before putting it in the database. I imagine it’s a security feature, too, although I’m not sure what name/description fields you’re talking about. Is it a weblog using default group fields?

The fields I am entering are located in the Discussion Forums module, and they are located within Create New Forum within Forum Management. They aren’t located within any weblog entry, purely the names and descriptions of forum boards on the official EE Discussion Board module.

Specifically the Forum Name and Forum Description fields. They correctly display the html when viewing/editing discussion forum boards within the CP, which seems to indicate that they made it safely into the database. But that is viewing the board details from within the CP. When the forums themselves are viewed from the perspective of a user the board names and descriptions do not process the html, and the tags appear.

I too thought/think that it may be a security precaution. But it seems odd that the html would correctly process when viewed within the CP, but not process when viewed upon the actual forum?

I see. In that case, it does seem strange. I would think the encoding/decoding would be evenly applied, so as not to be confusing.

If you have PHP enabled, you can use html_entity_decode() to translate it back to parsable text.

The board names, descriptions, etc. are parsed differently than the post contents.  You can see- they’re all run through the _convert_special_chars function.  As Jared suggests- probably easiest way to get markup in there is turn php on in the forums and switch things back.  Would be a good feature request as well- to allow html in those headings.

But that’s what you’re running into here.

Is it a good idea then to “allow” html in names and descriptions? Names probably not; descriptions, you could make an argument.

But from a security point of view, personally, I would strip HTML out of areas that are not supposed to have html, before insert, since it goes through a different route than textareas (and loses some of that associated security). It’s also not a reasonably expected behavior (encoded characters in name attributes, except &amp;).

Autobot signups, or a rogue member, could turn that into an XSS issue, unless the EE core programmers are careful and wash all inputs.