News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

How to make a page break in the Board description?

Started by DenDen60, February 14, 2015, 04:06:35 PM

Previous topic - Next topic

Kindred

What trend??

We are actually removing options from 2.1..  So the trend is actually toward giving FEWER configuration options, most especially ones that can and do get misused.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Steve

Which brings us right back to my point of protecting people against themselves.
DO NOT pm me for support!

DenDen60

Quote from: Kindred on February 16, 2015, 09:30:38 PM
What trend??

We are actually removing options from 2.1..  So the trend is actually toward giving FEWER configuration options, most especially ones that can and do get misused.

I was thinking about the trends in general in the software world.

DenDen60

Quote from: Steve on February 16, 2015, 09:50:03 PM
Which brings us right back to my point of protecting people against themselves.
There should be a separation between parenthood and being a developer. ;-)

DenDen60

From my point of view, and because we live in societies where we are free, it should be a choice.

Here is how I use this option. http://citizensandsocieties.net/NA-USA/index.php?action=forum

I don't see how this is problematic.


Arantor

And therein lies the problem. You do not understand everything that is involved so the freedom to choose is actually unhelpful in your case because you cannot make an informed choice without understanding the consequences.

Allowing HTML the way that box does is dangerous. It has been reported as a security vulnerability multiple times, because it is, the way it is set up. But you don't see that, you only see the part of it that benefits you and think it should remain as a facility because it benefits you. You do not know of the downsides attached to it. Like how someone with the ability to manage boards - doesn't even have to be a full admin - could use that power to hijack your account. Yes, that is what we are really talking about here.

DenDen60

Quote from: Arantor on February 19, 2015, 12:59:58 AM
And therein lies the problem. You do not understand everything that is involved so the freedom to choose is actually unhelpful in your case because you cannot make an informed choice without understanding the consequences.

Allowing HTML the way that box does is dangerous. It has been reported as a security vulnerability multiple times, because it is, the way it is set up. But you don't see that, you only see the part of it that benefits you and think it should remain as a facility because it benefits you. You do not know of the downsides attached to it. Like how someone with the ability to manage boards - doesn't even have to be a full admin - could use that power to hijack your account. Yes, that is what we are really talking about here.

So, let the forum administrator decide. Don't try to protect people from themselves. It is not your job. Your job is to develop a great software which it is by the way  :) and make sure that the coding is well done and that there are no security breach in the coding itself. If a forum gets hacked because the Forum administrtor left the passord strehght at 4, or installed a MOD someone else did,  then this is his fault, not yours.

Here is a thought, why not view this has a MOD. I am sure that you won't decide to forbid MODs in the future. That you will let forum owners decide if they want to use MOD and which MOD they will use. So if you feel this is a problematic issue, turn it off, like  the Karma or the advance profile, and if the owners wants it, he will tun it on.

Steve

Quote from: Denis Pageau on February 19, 2015, 07:43:15 AM It is not your job.

I personally don't understand this thinking. We're going in circles but who says it's not the developer's job? Admittedly I have experience with only two well-known forum software suites but neither allows what you want for the very reasons outlined so far.

According to your way of thinking, developer's should let admins be allowed to open any security hole avenue they wish.

I realize you're only talking about one function but if you allow one, why not others?
DO NOT pm me for support!

Kindred

Actually... as Steve suggests...  it **IS** our job to make out software as secure as possible.

and yes, often that includes specifically removing functions which SOME admins might find useful.

The difference between Karma or advanced profiles and this is that neither of those is actually a potential security issue waiting to happen.

Give it up Denis, in this case you are just plain wrong.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

DenDen60

Quote from: Kindred on February 19, 2015, 10:28:12 AM
Actually... as Steve suggests...   it **IS** our job to make out software as secure as possible.

maybe so but this should be for the backend not the frontend.

And it is because we are talking about the frontend that I am not plain wrong. If it would be the backend I would not be arguing.


Kindred

and that statement, right there, proves that you don't understand at all.

I is our job to secure the software. this means both front and back end...   (and the modify boards section IS the backend)
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

DenDen60

Quote from: Kindred on February 19, 2015, 01:37:56 PM
and the modify boards section IS the backend.

The we don't have the same definition of the backend. :-(

If this would be the backend, I would not be even able to create a category or a board. Since I need to create it to build my forum, because that is not your job but mine, it has to be the frontend.

Anyway, enough said. You think your right and I think I am right. I just hope that the development team, I hope it is not just you and Arantor  :) , will take a decision and consider this a "midend"  8) and make the appropriate decision (s) so both the need for forum owner control and the developer need to make the software secure are met.

Steve

As Kindred is the Project Manager I'm thinking he makes the final call. ;)
DO NOT pm me for support!

Kindred

Denis, for someone of your experience, you seem to have a very skewed view on websites in general...

Frontend is the part exposed to users who view your site.
Backend is the part that the admins use to configure the site and site settings.

So, the entire admin section is the backend.

I actually have no idea what other meaning you could be applying to the term backend...


As for the developers, we value our security record and take the security of our system very seriously...I am fairly certain that they will side with me in this for the reasons already explained.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

DenDen60

That is why I wrote let's ;

Quoteconsider this a "midend"

For me you do the backend and I do the frontend.

For my users they view the frontend and I do the backend. And to be able to attract my users and increase their engagement, I need to be able to manage the way my categories and boards look and how they work, so I need some flexibility. If you take out the option of using HTML you are tacking this away from me and my board will be dull.  :(


Kindred

Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

DenDen60

And that is your prerogative as it was my prerogative to share my thoughts as a user on the impact this action will have on our ability to give personality to our forums.

With which version will this option be taken out?

Kindred

Not sure. Seeing as it is actually a security issue, it could be removed with 2.0.10
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

live627


Arantor

Actually I wouldn't encourage using bbcode for performance (same reason it wasn't handled that way before)

OTOH using something like HTML Purifier might be a valid option, but since that enforces correctness it might make more issues than it solves.

Advertisement: