Text only | Text with Images

Simple Machines Community Forum

SMF Development => Feature Requests => Applied or Declined Requests => Topic started by: John Magdy Lotfy on August 07, 2017, 10:07:28 AM

Title: Running HTML/PHP Code/Scripts/Templates BBC-Code Suggestion
Post by: John Magdy Lotfy on August 07, 2017, 10:07:28 AM
Hello Everybody, it 'd be great to see a new BBC-Code which we might use it to Run a PHP/HTML code/script not only showing the code on the post but to run it
For example:
Code Select
[ rhtml ]<a href="https://www.simplemachines.org" title="i have added r near to html tag to name it as running html and its the same as rphp = running php">Click me</a>[ rhtml ]
Title: Re: Running HTML/PHP Code/Scripts/Templates BBC-Code Suggestion
Post by: Illori on August 07, 2017, 10:08:34 AM
do you want to get hacked? this is a great way to get hacked.
Title: Re: Running HTML/PHP Code/Scripts/Templates BBC-Code Suggestion
Post by: John Magdy Lotfy on August 07, 2017, 10:11:01 AM
Quote from: Illori on August 07, 2017, 10:08:34 AM
do you want to get hacked? this is a great way to get hacked.
what do you mean ??? (if you mean that by using some php scripts to hack my own Web server so by adding a Feature to Customize which PHP/HTML Functions are allowed or disallowed the proplem could be resolved)
Title: Re: Running HTML/PHP Code/Scripts/Templates BBC-Code Suggestion
Post by: Antes on August 07, 2017, 10:26:26 AM
I agree with Illori its really really edgy situation, I never ever see it coming as core feature good luck with mod request :)
Title: Re: Running HTML/PHP Code/Scripts/Templates BBC-Code Suggestion
Post by: Arantor on August 07, 2017, 03:37:50 PM
Quote from: John Magdy Lotfy on August 07, 2017, 10:11:01 AM
Quote from: Illori on August 07, 2017, 10:08:34 AM
do you want to get hacked? this is a great way to get hacked.
what do you mean ??? (if you mean that by using some php scripts to hack my own Web server so by adding a Feature to Customize which PHP/HTML Functions are allowed or disallowed the proplem could be resolved)

Whatever system you come up with to check what's allowed, I guarantee you I can figure out a way past it.

As for HTML, there is the HTML bbcode which is admin only because if it weren't, I could use it as a regular member to steal your cookies. And before you say that you'd only allow some HTML, again, whatever you come up with, I could find a way through it.

Bad idea all round, really. It's why forum bbcode even exists, because HTML is hard to secure when users can add their own content.
Title: Re: Running HTML/PHP Code/Scripts/Templates BBC-Code Suggestion
Post by: 青山 素子 on August 08, 2017, 01:26:14 AM
While you can try whitelisting rather than blacklisting, allowing any kind of raw PHP in a forum post is a serious security issue. I can't see this ever becoming a core feature due to just how difficult it is to implement safely, if such a thing is even possible.
Title: Re: Running HTML/PHP Code/Scripts/Templates BBC-Code Suggestion
Post by: Arantor on August 08, 2017, 02:42:14 AM
It isn't possible. There are way too many ways to get around even whitelists, when things like variable functions come into play.
Title: Re: Running HTML/PHP Code/Scripts/Templates BBC-Code Suggestion
Post by: Steve on August 08, 2017, 07:54:22 AM
In other words John, it's not going to happen. Sorry.
Text only | Text with Images