[tom.mccabe]

Hey everyone. I believe there’s a security flaw within BBPress that allows for any forum user to insert JavaScript into their posts. For instance, the following code replaces instances of “oldStuff” with “newStuff”:

[img]http://www.whatever.net/forums/bb-admin/images/blank.gi” style=”display:none;” onerror=”this.parentNode.parentNode.parentNode.parentNode.parentNode.innerHTML = this.parentNode.parentNode.parentNode.parentNode.parentNode.innerHTML.replace(/oldStuff|onerror/g,’newStuff’);[/img]

What are the patching instructions? Thanks.

[_ck_]

All your current benchmark proves is that bbPress will be slower for 20 concurrent connections over 1000 passes, where no-one is logged in and the content never changes.

What I am saying is that’s not how people run forums, you need a more realistic benchmark, which I know from experience is going to be tricky to code.

bbPress 0.9 will be faster than what you have shown by about 50% and then with content caching it will compete fairly against the others.

Apachebench is not dynamic enough to prove real-world usefulness and barebones bbpress out-of-the-box is certainly not setup for a large site. But with plugins it certainly can be. There are some reasonably large sites on the Top 100.

[tpack]

I did this in my footer.php of my Kakumei theme.

Find your theme folder. E.g. /forums/bb-templates/YOUR-THEME/footer.php.

Edit footer.php code:

<div id=”footer” role=”contentinfo”>

<p><?php printf(__(‘%1$s is an online discussion site of the YOUR-DOMAIN.com‘), bb_option(‘name’), “http://YOUR-DOMAIN.com&#8221;) ?></p>

[ckwalsh]

Um, wow. I’ll admit I’m quite astounded and I’m not quite sure what to say, but I’ll try.

Actually the PHP version kinda proved my point about content caching.

It’s taking 3-4 ms.

The front page index on most of those forums is taking 20-25ms

Uh… no they aren’t. http://bb-bench.com/benchmark/1#section_p_index

That’s impossibly fast, it definitely means content is not being regenerated. If the cache was defeated it would have to re-render the whole thing and the page time would be significantly higher.

No, it’s not impossibly fast. I have not perused the code of most systems, but I can guarantee phpBB does not cache the output of its pages. They are retrieved every page load. Sure, there is a caching system in place, but it doesn’t catch the output of a page, only stores a few variables that don’t even improve performance particularly. As for caching at the apache level, you would see a much bigger difference in speed than you do see. Without special configuration, apache should never cache the output of a php page, since that would entirely defeat the purpose of a dynamically generated page.

Caching page output is near impossible for forums in general, due to forum permissions and session specific information. It would be kind of bad if my “One private message unread” were cached for you. The only other form of caching is the sql cache, which is contained entirely within MySQL, and is automatically activated for all queries, regardless of software.

bbPress doesn’t even save the tag cloud between pages, it will re-render it each and every time, which is at least 1/4th of the page render time (that can be changed via a plugin).

Sounds like that’s a big area for bbPress to improve. But it still doesn’t make the result invalid: bbPress is slower.

So 265ms vs 78ms

bbPress 0.9 is “only” 187ms slower than statically served PHP.

Do your math again. It’s 260ms slower than a static page. It’s still damn slow, and if someone installs bbpress and *pick another board* side by side, the bbpress one will not perform better. While technically correct, it does nothing to affect the overall results.

@ckwalsh, Your benchmarks are incorrect this way. _ck_ is right about it

Can you please paraphrase what his arguments are, and perhaps add a little bit more? I’m getting the feeling that you posted here to support _ck_ since the results I found were unfavorable to bbPress, and you don’t have anything to add, or even understand the discussion. Not to say I only want to talk to experts, but blind bandwagonning always frustrates me on the internet.

Basically I’d want to see a simulated load with logged in users being served different content – ie. unread posts for different users

Certainly apache bench isn’t perfect, however, it does show the relative performance of those 3 pages, which are almost guaranteed to be responsible for the majority of requests to a forum. I have been considering how to build a better tool, but have not gotten a chance to do so yet.

But plugins can still do content caching themselves. For example I realized awhile back that the Hot Tag cloud that bbPress renders is taking at least 1/4th of the total page render time, and it does it each and every time, regardless if there are new tags added or deleted. So my Hot Tags Plus plugin caches the tag cloud as static html (as well as add many other features to it at the same time).

If you think that will drop load time, it seems to be something anyone can add – I’d certainly be willing to install it for my tests.

Overall, you seem to be upset that bbPress performed so badly, leading you to say the benchmark is wrong. While it isn’t perfect, what it does show it shows rather precisely. In the current state of forum software, bbPress does appear to have a long way to go. It doesn’t matter if it was rewritten. It doesn’t matter if it doesn’t have caching (if so, that is a failure of bbPress, not an unfair advantage to other software). When comparing the same functionality between software, those are the results, like them or not.

[Ashish Kumar (Ashfame)]

the new blog tables is just left as it is, you can delete that if you want.

you can even specify the user tables to be used while installing.

this is how it is done in wp-config.php –

define('CUSTOM_USER_TABLE','new_user_table');

define('CUSTOM_USER_META_TABLE', 'new_usermeta_table');

those two lines should be in that WP whose user tables you want to change.

like my initial has a wp_ prefix, then in the new installation, which has something different (lets say wp1_ or anything), put the lines in wp-config.php

define('CUSTOM_USER_TABLE','wp_users');

define('CUSTOM_USER_META_TABLE', 'wp_usermeta');

[_ck_]

quick ‘n’ dirty test: ab -c 20 -n 1000

bbpress 1.1

.             min  mean[+/-sd] median   max

Total:         46  458 117.9    453    1250

bbpress 0.9 (with $bb->load_options=true;)

.             min  mean[+/-sd] median   max

Total:         46  275  90.6    265     890

453ms vs 265ms (or 458 vs 275)

So, I’d expect I’d see around a 50% improvement on your box on 0.9

now – vs static cache content simulation:

bbPress 0.9 front page html saved as static.php

and <?php $test=1; ?> put at top to force PHP parser to turn on

.             min  mean[+/-sd] median   max

Total:         15   75  14.3     78     109

So 265ms vs 78ms

bbPress 0.9 is “only” 187ms slower than statically served PHP.

In a nutshell:

.             min  mean[+/-sd] median   max

bbpress 1.0:   46  458 117.9    453    1250

bbpress 0.9:   46  275  90.6    265     890

static PHP     15   75  14.3     78     109

[VirtualityStudio]

I think it is gravatar, although I uploaded a custom default gravatar that is local and the users avatars will be saved locally as well.

[VirtualityStudio]

i tried one of the avatar plugins, but haven’t had much success with it. is there a way to change the default avatar… either via the code or is there a plugin that actually works?

thanks much!

[_ck_]

I look forward to a static page for comparison on your graph.

It will prove what I am saying about content caching.

I have a test SMF install handy and I can see it uses less than a half-dozen queries on a 2nd page load which is a dead giveaway there is caching – I am sure every other 3rd gen forum package has it too. You have APC running and I know that SMF also takes advantage of that, so probably do others.

bbPress never got content caching because Matt keeps having the core re-invented every couple years (backpress and now as WP plugin) so we keep getting back to square one for advanced features. Don’t be confused by versions 0.9 is a different program than 1.0 and 1.2 is a completely different program than 1.0 or 0.9 (that’s Matt’s fault).

So I still insist this isn’t a fair comparison.

But bbPress 0.9 should be about halfway between the 1.x and other forum software (ie. 50% faster) 0.9 will be continued to developed independently, so it’s worth benchmarking.

If you are willing to put a couple of tweaks in the bb-config with 0.9 I think we can get a little closer to the rest of the pack at the bottom, ie.

$bb->load_options = true;

off the top of my head (note that does nothing in 1.0)

[_ck_]

I already know from my own benchmarks that 0.9 in many cases is 50% faster than 1.x, if only because it loads 50% less code, not to mention fewer queries out of the box.

But as nice of an ideas as it is, your benchmark really cannot compare apples to apples.

ALL the other forums you have listed already use a page cache, in part or whole, which is why they have such high numbers.

What your benchmark should do is attempt to DEFEAT any page caching the forum is doing by generating new posts BEFORE every page load.

ie. POST / READ / POST / READ / POST / READ / POST / READ

The next version of bbPress will very much need a page cache just like most buddypress sites desperately need as they are very sluggish (because of the WordPress core).

A few people have successfully deep integrated bbpress with wordpress and then used an exisiting wordpress page cache. That would give similar numbers to what you have posted for other forums.

[Ashish Kumar (Ashfame)]

A fork of the legacy version is on its way. Its runs very fast as compared to the 1.0 v and supports a large number of plugins.

Trust me you won’t want to miss this in your benchmarks. I won’t be surprised if it topped the chart

[mr_pelle]

Those plugin are way too old!

I use:

if ( $avatar = bb_get_avatar( bb_get_current_user_info( 'id' ), 80 ) ) {

echo $avatar;

unset( $avatar );

}

[minervaa]

*Happy?*

Yap ! this time it’s working perfectly! Thanks a ton to both of you.

That means using this plugin, no html is supported at all on the topics?

Is it possible to improve this plugin a little bit as –

1. It will allow admin to post any clickable links(including outgoing) on the the topics

2. It will allow anyone to post clickable links ONLY when the link is from the same domain as the forum? (internal links)

To give an example, lets say this plugin is activated in bbpress.org.

A member post a topic saying

“Buy cheap Viagra from http://www.cheapest-vira-xyz.info&#8221; <– this link would be plain text.

“A member post a topic saying “Has any one got this working? https://bbpress.org/forums/topic/cant-switch-themes-in-081&#8221; <– this link would be clickable

again if any member post a topic saying “have you read this bbPress blog here ? https://www.bbpress.org/blog/latest/bla-bla-bla-bla&#8221; <– this link would be clickable as they are from the same domain as the forum

If the above functions can be implemented on this plugin, that would be a brilliant tool to put off most of the spammers.

[zaerl]

bb_uri('forum.php?id=' . forum_id() . '#postform');

[damagegroup]

Chrishajer! i need help… how do i hard code this file?..i dont have any coding experience this is my problem

damagegroup.com/wp1/forum

please help!

[zaerl]

<?php

/*

Plugin Name: zaerl No HTML

*/

function za_nh_allow_tag($tags) {return array();}



add_filter('bb_allowed_tags', 'za_nh_allow_tag',999);

remove_filter('post_text', 'make_clickable');

?>

Happy?

[_ck_]

Unfortunately that plugin isn’t working in my bbPress 0.9.0.6

Does any one else have any other solutions?

You need to post far more details about what you are trying to do and what exactly is “not working”.

In theory that plugin should work fine and you can even make it conditional so admin can post html code but not members.

Not sure why he does it after bb_init, so try it plain like this.

<?php

/*

Plugin Name: zaerl No HTML

*/

function za_nh_allow_tag($tags) {return array();}

add_filter('bb_allowed_tags', 'za_nh_allow_tag',999);

?>

Should be all you need.

[_ck_]

bbPress 0.9 is just about to break 150k downloads

(that may include all previous versions too, I am uncertain if it was reset after 0.

bbPress 1.x has been downloaded over 121k times!

_ck_ plugins this weekend will break the 100k total downloads mark!

These are the top 10 _ck_ plugins:

bbPress Signatures

BBcode Lite

bbPress Smilies

Human Test

BBcode Buttons

bbPress Attachments

bbPress Polls

Hidden Forums

Post Count Plus

Topic Icons

[minervaa]

Just get working the meta description generator using Kawauso’s code on topic posts.

Although it seems it garbled the forum home page description so I am guessing that has to be done manually.

It also take tags as keywords (if provided)

[kevinjohngallagher]

It depends on what you’re after.

If your forum needs a specific Mobile version, then you’ll need to scout around.

If your forum needs a specific mobile stylesheet/theme, then creating one for bbPress is very simple, but there isn’t a public one out there that I know of.

Forums are tricky things. Worth it, but tricky.

Define your requirements, whats a must have and a nice to have, and you can make a decision alot easier that way

[zaerl]

I am not a professional programmer but I think if we can change the code (maybe on post.php file?) where it says “make” http:// and www. texts to hyperlink, maybe it will work?

One question, one topic.

[minervaa]

**Keep in mind that, obviously, it is not retroactive. Preexisting posts aren’t affected.**

Yap I know that, I posted few new posts (by non admin member) just to test it

I am not a professional programmer but I think if we can change the code (maybe on post.php file?) where it says “make” http:// and www. texts to hyperlink, maybe it will work?

Just a thought by the way

[chrishajer]

There is no forum there http://noclassifieds.net/forum/

[~]$ curl -I http://noclassifieds.net/forum/

HTTP/1.1 404 Not Found

Date: Thu, 02 Sep 2010 15:28:49 GMT

Server: Apache

X-Powered-By: PHP/5.2.14

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: PHPSESSID=h1rjpi92bf0u5i0lh6tnrrvmu0; path=/

Vary: Accept-Encoding

Content-Type: text/html

[_ck_]

Nothing is over unless you don’t know how to code and are in a rush.

bbPress is very stable and very fast and there are literally ten thousand sites using it.

Every month that goes by you’ll simply have more options.

[Gautam Gupta]

LOL x 2