Because that middle-man is your best bodyguard to avoid any problems with html injection. A white list of html tags? It's not a really open system (you can't create anymore any customized tags) and it is difficult to efficiently protect. Any html in messages should be avoided if you don't have a full control on which members can use it. Now there are other systems than BbCodes such as
Markdown and
WikiText, but I'm not sure it would be better...
Thanks for the insight Cédric. That makes sense. However, it seems other sites (Tumblr being a good example) seem to manage fine with out bbCode. I assume they must have fairly robust fail-safes to sanitize HTML, prevent code-injection, etc?
I acknowledge that my goals may be different than some, but I do believe the vast majority of forum-goers and communities simply don't need access to bbCode or HTML in any form. Sure, the older forum-goers and technical users enjoy editing code, but I think that's quickly becoming a very edge-case scenario.
In the context of a forum where users would not see or interact with any markup, is something like bbCode still required for that layer of security? Is a bbCode parser really that much safer than an HTML parser?
Is there perhaps an even simpler way to provide something along the lines of an enhanced textarea (which would insert
only pre-defined HTML snippets)? Could a purely client-side(JS) solution insert hidden markers for the server to process in to pre-defined HTML output?
How many people really need more than the following buttons: bold, italic, lists, quotes, links, smilies, attachments?
I suppose the bottom-line is this: I think it's time to re-evaluate how visitors are actually using the text editor on a modern forum. Having better mobile support, like a plain textarea (with a few added perks) would seem far more valuable than a "full featured" editor like TinyMCE, which is bandwidth heavy and still uses a rats-nest of 1990's tables to display a basic toolbar.
