[html]-BBCode filters javascript

[qc]

The -BBCode available to SMF administrators is very useful for quickly adding rich content to topics. As an administrator on my site, I would like to include a few scripts, too, but this seems not to work (only locally hosted scripts can be included via <script src="/local.js">). Attaching event handlers to HTML elements via onClick="..." is also not possible.

Is there a reason for denying administrators the ability to include remote or inline scripts as well as inline eventhandlers?

[nend]

I don't think it is intentional but more of the parsing of the post message when it is submitted to the database. This is there for security purposes and it changes certain characters to make them safe. However in embedding HTML this may have some negative effects and put some limitations on what you can achieve with this tag.

Take for example my custom BBC here.

Code Select Expand

array(
'tag' => 'eval',
'type' => 'unparsed_content',
'content' => '$1',
'validate' => create_function('&$tag, &$data, $disabled', '
if (!isset($disabled[\'eval\'])) {
$data = str_replace(array("[","]"),array("[","]"),$data);
$data = @eval(str_replace(array("\r","\n","<br />","&nbsp;")," ",un_htmlspecialchars($data)));
} else {
$data = \'\';
}'),
'disabled_content' => '',
),
array(
'tag' => 'head',
'type' => 'unparsed_content',
'content' => '$1',
'validate' => create_function('&$tag, &$data, $disabled', '
if (!isset($disabled[\'head\'])) {
global $context;
$data = str_replace(array("&#91;","&#93;","<br />"),array("[","]","\r\n"),$data);
$context[\'ob_headers\'] .= str_replace(array("\r","&nbsp;")," ",un_htmlspecialchars($data));;
//$data = \'<script type="text/javascript">$("head").append("\'.html_entity_decode($data).\'");</script>\';
}
$data = \'\';
'),
'disabled_content' => '$1',
'block_level' => true,
),

Had to do a little processing to get this to work and it still doesn't work perfect. However I do know the limitations and can adjust. I can do some evals and anything more complicated I would have to include a external file, example, http://www.sicomm.us/t/53/.

However my case was on the more extreme side and to be on the safe side, whatever code is calling the function has to pass credentials to the BBC parser for the poster. Yeah, a little bit of source edits, but if no credentials then that BBC is off limits.

Don't use any of the code above because I didn't include the security part of it. 

[qc]

whatever code is calling the function has to pass credentials to the BBC parser for the poster.

Haha, that's freaky

Actually, I just found a way around the javascript restrictions by posting e.g.

[​html]<body onload="[/html][​html]alert(1)"></body>[/html]

which then evaluates to

<body onload="alert(1)"></body>

Also a bit freaky, though

[Kindred]

I would't actually call this a bug, per say...   More of a limitation.

And one that most admins would never encounter, since most admins don't know diddly about JavaScript... (And,mi would argue that JavaScript really does not belong in posts)