I'm writing a comment parsing function in PHP.

Since BBCode is not a real markup language, I'v never liked the writing style.

So I'm giving visitors the ability to use basic HTML code in comment forms.

And when posting, PHP will check for disallowed and invalid tags/attributes, and either replace or remove them.

I believe it does the same job and output exactly the same as with BBCode.

If this is true, why are there BBCode? Does BBcode have any advantages over HTML?

update

as monochrome answered

If you're confident th开发者_StackOverflow社区at your HTML filter is safe enough, you should be fine though

well, I'm not confident writing the filter myself, but there are some top-rated filters out there like PHP Simple HTML DOM Parser, HTML Purifier, htmLawed...

The BBCode is developed by UBB and still being widely used, such as phpBB.

Are the developers from UBB/phpBB not confident about their skills to write a perfect HTML filter? (I guess not)

Also, like the Markdown that StackOverflow's using...if HTML+Parser does the job, why invent another "language" anyway? (except for saving a few bits...)

It's main advantage is the prevention of unwanted code injections. That's why I would use something like BBCode or Markdown.

At least you should work with a White-List of allowed HTML-Tags and not with blacklisting.

BBCode eliminates the issue that your HTML filter might have bugs so that the commenter can comment code he's not supposed to comment. If you're confident that your HTML filter is safe enough, you should be fine though.

Another problem is that HTML comments might break your layout, e.g. when the commenter puts in a single closing </div> or something like that.

BBCode became popular as allowing the user a limited access to html while trying to prevent XSS. BBCode became popular before there where solutions like HTML Purifier. In all reality BBCode and Html Purifier have their own security problems. Its just that BBCode was a more simple solution to this problem.

Use BBcode + convert all left tag to htmlspecialchar seems to be totally XSS free for me. ( unless BBcode parser is really super bad designed )

Ultimately, both of them reach the same goal. Currently I choose BBcode because HTMLpurifier auto strip tag instead of replacing left Tag with html specialChar. At least in the demo I didn't see the function keeping the left Tag.

So there's some problem as we want user to write &lt; instead of auto convert it to < . And some more issue of laziness to validate all data.