Hugo <Nabble> wrote
This is a good question. I think BBCode is cleaner and safer. The problem of HTML is that people try to inject javascript and other harmful code into pages and we don't want to keep fighting such attempts. So maybe we could start with a simple BBCode language and expand it as needed. Do you agree?
What do you mean with "harmful" codes?
I do think BBCode is more secure than trying to clean HTML. Black lists for HTML almost never are 100% waterproof, just because there are so many variations. By using BBCode, everything that wasn't handled correctly by the parser will simply be spit out as their BBCode.. e.g.: [script] is harmless. Making the same mistake with cleaning html would produce <script>.
Academically it could be just as secure, but when you consider that their might be bugs in software (and there always is) BBCode provides an extra fallback..
That doesn't make it pretty though, therefore I would still stick with HTML.
Never argue with an idiot, they drag you down to their level and then beat you with experience.