Enabling full HTML in posts

[Mari-chi]

Hi,

I enabled HTML, but it said something about it being "limited" or "restricted" or something along those lines. Is there any way (perhaps a mod?) that allows me to enable regular HTML posting in the WYSIWYG editors for regular members? And what exactly does the   tags do?

[Arantor]

The html bbcode allows you as an administrator to post literally any HTML. It is restricted to administrators only for security reasons, like the fact you could very easily introduce malware scripts right into your forum otherwise.

Allowing regular HTML posting on a general forum is actually a very bad idea for this reason. What HTML were you hoping to allow them to post?

[Mari-chi]

Well, just anything really; some of our site members are coders, and like to make plot pages which involves HTML with inline styling. Do you know of a way to enable HTML posting for all members?

[Arantor]

Oh, I could probably do it pretty trivially by removing the check in Subs-Post.php which looks for [html and removing that test/preg_replace but I really can't go into detail, I simply do not encourage doing it because IMO it's dangerous to allow raw code posting on your forum to non admins, I'd hate to think that *a random person* could post any Flash, Java, Javascript, or indeed anything else web-accessible into your forum.

[Mari-chi]

Just curious, because I've heard it very often--what are the security risks that come with being able to post HTML on a forum? For example, Yuku allows it, and I've been with them for over a year and a half and found no problems at all. (Yuku is a forum company kind of like InvisionFree or Proboards.)

[IceXaos]

Well, you simply allow HTML and they can use Javascript which has the ability to download without being visible.  They could also use a simple meta tag and have you redirected to any number of sites including browser exploits, pornography, etc.  Really, it's not suggested to allow it unless you have a private community in which each and every person with the ability can be trusted.

[KTT Robot]

You allow HTML, I can get admin access on your forum.

That's what.

[Arantor]

I don't know any site that allows regular users to post fully raw, unvetted HTML, which is what the html bbcode enables. Other systems, like Yuku will filter the HTML, because it's allowed by default. Like most forum packages, SMF takes a more restrictive, safer route.

On the tamer end, this would allow users to post multiple blocks of AdSense ads on the page which could mean an AdSense account getting shut down for violating the TOS (since AdSense only allows 3 units per page, wouldn't be hard to break that if raw posting is possible)

Let's see, though, what else could be done... how about adding some Javascript to the page to silently swipe your session details and hijack your account? Trivial example, but given that this can be done in... 4 lines of code, you see my point. Especially if it happens to hijack your account as the administrator because you viewed the post. (There are precautions built in against full account hijacking, mind, but certainly it would be easy to spam the forum using your own account. And even the precautions can be broken down with a little more care - so as KTT Robot says, admin access is entirely possible)

Or induction of drive-by download malware via vulnerabilities in the browser which can be exploited through Javascript? There are an awful lot of those floating around at the moment.

Those are just a few practical, observed examples of what could be done.

[Mari-chi]

I'd nearly forgotten all about this thread; my apologies for not responding.

Those examples sound scary. >-< Since I was always able to use HTML at Yuku, it had never occurred to me that someone could do all those things. Is it possible to, say, enable html, but not other things? Ex. at Yuku, we were allowed html, but not dohtml or javascript--or anything else for that matter.

[Arantor]

Not in SMF by default, and not without a serious amount of work.

You see, it's much (much much) easier to assume it's dangerous and only allow the specific bits you want to use, which is what bbcode effectively does - it screens out all HTML, stores it in a format that prevents it being used in a dangerous way, and specifically has to re-enable it for the html bbcode.

Writing a filter to work on the other way around is inherently less secure and MUCH easier to break through. I would point out that the very last patch (3.0.4) to WordPress was because of a vulnerability in their HTML processor allowing nasty stuff through, and I'm pretty sure that just about every one of the sites that allows raw HTML for general use has had it abused at least once.

[Mari-chi]

Hmm I see.

Now that you mentioned it, Yuku (formerly known as ezBoard) had their servers hacked back in... 2004? 2005? Around then. I wasn't using their forums back then, but I heard a hacker wiped out their entire servers along with their backups (they apparently decided it was a fantastic idea to store their backups in the same servers as the forums).

Thanks for putting up with my nosy questions. XD

[Arantor]

Not a problem

That incident you mentioned is likely a different breed of vulnerability, in reality, but the consequences we've outlined above are entirely possible to achieve. It might be possible to leverage access to a privileged account through an HTML compromise, but it's normally difficult/impossible to gain full system access through that. Mind you, what could have happened - depending on the system - is that the HTML let in an SQL injection which trashed the database... full system access might not have happened, but wiping out the database is not so uncommon.

Specifically, http://xkcd.com/327/