Well, IIRC, the three characters I found not working were "!", "~" and "?" (see
my post in "Underline in URL converted to <u/>"). But I'm quite sure that these are not the only characters not working anymore. This was the first reason to stop using BBCode, because I didn't want to go through each of my entries to find possible problems.
I understand your security concerns, and I'm glad to hear that you're people who take security as serious as I do. I'm not really familiar with XSS, therefore I don't know how high the risk was or if it wouldn't be possible to just take out the "dangerous" characters instead of taking out all special characters and putting the "safe" ones in again version by version (shouldn't the valid characters be defined at
RFC 2396?).
However, where I work (a German university), the use of "~" in URLs is quite common (see
Apache's
mod_userdir default configuration). I don't like it either, but I wouldn't say it's uncommon. And the bang ("!")... well, s9y itself creates links with this character in it (for example
this blog entry), so it shouldn't refuse from linking to itself, should it.
I admit that "completely unusable" is a bit exaggerated, but these problems just made me think "aww, who knows which entries are affected, just throw the whole thing out". Also (and that's the second reason why I stopped using BBCode) I wanted to stop using NL2BR, so I decided to write all my HTML myself.
As I said in the first place, this is in no way meant to offend the BBCode (or NL2BR) plugin authors. When I first started to use s9y, I found the mass of input code plugins really cool (although you should clarify for the "wiki" plugin, which kind of wiki it resembles, because DokuWiki's syntax is quite different from MediaWiki, for example), and I definitely don't want to keep you from writing other plugins (hey, how about a TeX one
), but I just found out that I'm too much of an HTML fetishist to let some plugin create my code. I also don't intend to keep other people from using BBCode or NL2BR, but I decided to publish the script because it has been some hours of work and I thought that maybe others would find it useful.
Thanks for the quick fix of the BBCode plugin (although I don't need it anymore *g*). BTW, is "(" and ")" in the list of the allowed characters? Some excessive
Wikipedia linkers (like I am) would possibly need it (even though MediaWiki itself urlencode()s the brackets).
And hey, thanks for visiting and commenting in my blog!
Therefore I wrote a little script to do this stuff automatically. If you want to do the same thing, have a look at BBCode Destroyer for Serendipity. It's a simple PHP script (public domain), and there's also a small english "how to use" manual.