Hi Ivo Valkov,

The reason why the bbcode editor is no longer support the html tag is because we got quite a few complaints from users that they got Cross-Site Scripting (XSS) attacks through the html tag by using the bbcode editor.
However, if you want to get back the html tag rendered, as you upgrade to ED4.x you need to apply the fix file into the unzipped installer(component) package first.
com_easydiscuss_component_pro_4.0.7_joomla3.0.zip/admin.zip/includes/parser
and zipped it back, and you're ready to update.

Hey Muhammad,

Thanks! The attached "parser.php" did the job.

But here comes the problem - every time I update ED, I'll also have to copy back the modified "parser.php". You might also do some changes to this file in the future and I'll be stuck with an out-of-date copy of it.
Can't you just add an "if/else" statement in it and then add an option in the Admin (see the attached screenshots)?

I reviewed the file and the only difference is on line 162 - in the original ED4.x file it is commented out and in the one you attached it is not commented out:

		// We cannot decode the htmlentities here or else, xss will occur!

		// // we need to make sure no special characters at this points

		$text = htmlspecialchars_decode($text, ENT_QUOTES);

Really, can you please add it as an option in the Admin? I'm sure you'll have more users asking for this in the future.

P.S. Guys, I'm really not moaning. I do believe that all the features/changes I asked for will actually make your software better.

hey there,

Thanks for your input, we wouldn't recommended add an option for this,

Even we added an option and set it as default to NO, it didn't solve your problem because In Easydiscuss 4, we already implement a new table called `#__discuss_thread`, it will store the discussion content (which the content already get parsed and convert all the special HTML entities back to characters) in `preview` columns. When the page it load, the system will only get the content from this `preview` columns, so that it will not go through all the bbcode parser process and make the page load faster. Therefore, when you upgrade from 3.x version, this option is set to NO by default, that PHP code will not get executed, mean all the HTML entities code still within the same and store in this `preview` columns.

If we added an option for this and set it as default to YES, it will solve your problem but end up our other customers might get hack from somebody and come to complain to us regarding this big issues.

And another big issue is if the user already posted some html code in their discussion content in earlier, and this option is set to NO, when the admin turn it on, this user have to edit the post and re-save again in order to show the special HTML entities back to characters.

The best way is if you upgrade from 3.x version :
1. Download the full installer
2. Extract the installer file > replace above fix file into this file location admin.zip/includes/parser/parser.php
3. Zip back the files.
4. Upload through Joomla installer and process the upgrade from 3.x to 4.x.

Alright, I see.
Thanks Arlex.

You are most welcome.

As a gentle reminder, kindly start a new thread if you have any other issue in the future so it will be easier for us to manage your inquiry. I will lock and mark this thread as resolved.