Playing Chicken With Common Sense

see the live demo at

Me and my good friend Adnan Ahmad have created an open source project on codeplex called is an ASP.NET MVC discussion forum.  We want it to be unique and different from other discussion forums but still maintain the ideals of a forum.  We would like it to combine the best ideas of other sites such as stackoverflow and DIGG.  Please join us and check out

Project Description

SubForum is a forum software built from scratch using ASP.NET MVC and AJAX to provide a rich Web 2.0 look and feel to a forum. The features include Search engine friendly URLs, Tags, Rich UI experience, and more.

SubForum is a combination of a Forum, QA Site, Blog, Wiki, ScreenCast, and DIGG. The Forum can be used to launch a website on any particular topic and the users should be able to browse all the content related to the topic in the form of Discussions, Question and Answers, links to other blogs, etc. It will provide rich content site for any site owner targeting to run a site for their product or idea.

The UI will be much richer than the traditional forum sites where there is a Category, and then discussions or threads within a category. In SubForum users can post discussions or comments and provide Tags that will help searchers narrow down the posts by tags instead of categories only.

The forum will be Web 2.0 friendly. That means it will have search engine friendly URLs, logins for different login providers, Avatars, OpenID, etc. It will also have an easy to customize site layout that developers and designers can build against easily. The use of AJAX and jQuery will be used to provide a rich user interface for readers and posters and admins.

In summary SubForum will be a complete .NET based open source forum for anyone to use, beginning with .NET developers.

That is the goal and hopefully we will build a kickass discussion forum that you will love.  I created a live demo of it at so you can check it out.  We just started and it has a ways to go but it has turned into an astounding little forum already.  Here are some screenshots to wet your appetite.



  • E-mail
  • Kick it!
  • Shout it
  • Bookmark and Share


Rob Conery Rob Conery   United States 7/5/2009 2:54:22 PM #

XSS is not being checked for (I left 2 script bombs for you ... sorry). Please please please Html.Encode your stuff...

Phillip Jacobs Phillip Jacobs   United States 7/5/2009 5:02:02 PM #

Thanks Rob...  We will code that up soon.  We are still not sure if we should use the WMD editor or something else for editing comments.

Rob Conery Rob Conery   United States 7/5/2009 7:08:32 PM #

Great - however know that the editor  has nothing to do with XSS - it's all output. So whenever you do a <%= you should always encode it.

Phillip Jacobs Phillip Jacobs   United States 7/5/2009 7:17:36 PM #

Rob.  We know this.  thanks...  but we are encoding it.  All output is being encoded as follows:
        <%= Html.Encode(Model.BodyText) %>

It doesn't appear to be working at the moment but we are updating the code regularly and will fix this issue.

Thanks again.

Phillip Jacobs Phillip Jacobs   United States 7/5/2009 7:42:00 PM #

You know who said "Html.Encode is not a silver bullet to avoid XSS"?

Tough one to figure out? Smile

I think you will be pleased to know that we are adding AntiForgeryTokens to it right now.

BTW: You got a really Cute family.  I just became a dad recently.

Rob Conery Rob Conery   United States 7/5/2009 8:21:20 PM #

Thanks! Phil does a great talk with Hanselman on this very issue. Usually Html.Encode handles most things for stuff like Forums and it works just fine - but AntiXSS works great as well.

And congratulations!

Phillip Jacobs Phillip Jacobs   United States 7/5/2009 8:37:45 PM #

Rob - ok...  thanks.  We are implementing that as protection...

Control panel


Comment RSS