How to make a page break in the Board description?

Started by DenDen60, February 14, 2015, 04:06:35 PM

Previous topic - Next topic

Kindred

Actually, using html purifier with board descriptions, news and several other places where html was removed might not be a bad idea...   It will raise more issues than just removing it, though... As Arantor suggests.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Arantor

Because I hadn't already thought about this or anything :P

DenDen60

I think that the html purifier would be a good solution. From my understanding it would be more secure and still live us the possibility of developing our boards the way we want, which I think is very important.


Arantor

Except for the reasons as already outlined where it actually isn't because it has other issues - like I already tried to point out.

I'm not being funny but this is exactly why technical matters should be left to the experts on the subject, not people having opinions about things they doesn't really understand, either in terms of what they do, what they mean or the consequences thereof.

DenDen60

My problem with this whole approach about security is that your concern about security is true. I will never be able to prove you other wise, and I would  never even want to try, because I know it is there.

However, it is not because something is true, that we need to propose a solution or that the proposed solution is right.

For example, riding motorcycle is the most dangerous mode of transportation. That is true. If governments proposed to ban motorcycles, would this be right?

We need to remember that this option has been around for almost 10 years, if not more.  I used it myself back in 2006.


Kindred

Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Suki

Dennis,you are forgetting a pretty important key; your forum your rules, you can customize your forum in whatever ways you want, it doesn't really matter if the SMF devs do not want to add what you need.

So Dennis, if you want something for your own forum go ahead and do it, you don't need anybody's permission to do it.  Either as a mod, a custom code change or even a SMF fork, it doesn't matter, you have plenty of options ahead.

Keep on following your motorcycle example, it is your choice to install a turborreactor or a hot tub on your own motorcycle or not, Honda just provides the vehicle.  The same with SMF, we just provide the script, it is your choice to either keep it as it is or to customize it to suit your needs.

And of course with freedom of choice comes responsibility, if you decide to install a turborreactor on your Honda then do not blame Honda if anything bad happens, the same with SMF.

Oh and it is us, the creators of the script the ones that do not want to keep this feature, not the govt, not a third party. I'm pretty sure Honda or any other motorcycle company does the same thing, thats probably why you don't see any motorcycle with a turborreactor or a hot tub by default coming out from their production line.

So really, your argument is bogus and your analogies simply do not fit.

The proposed solution is neither right or wrong, as thats relative and depends on whos viewing it, it is what it is and it will not be changed anytime soon.
Disclaimer: unless otherwise stated, all my posts are personal and does not represent any views or opinions held by Simple Machines.

DenDen60

Suki wrote: "you can customize your forum in whatever ways you want, it doesn't really matter if the SMF devs do not want to add what you need."

That is the weird part, it is already there. It has been there for almost 10 years.  It is exactly because it is already there that I suggested that instead of getting rid of it, that it be made into an option. See this as a grandfather clause for those already using it.  :)

Ps.: When it pertains to SMF, for the users you are the government. You decide. Hence the analogy is not bogus. You have the power to ban "motorcycles", read options.

 

Arantor

Yes, and the same power means if ever I had the ability to manage boards - and only boards - that same freedom would allow me to take over your account and trash your forum. No doubt you would then blame us for not fixing a security vulnerability, rather than 'allowing freedom'.

Kindred

No... Your argument is indeed bogus.

Whether we are the government or not in your analogy, the ability to use html is not a motorcycle... If you really insist on going down that path., It is more like a seatbelt...  And the government does indeed legislate and require the use of seat belts...

As for "it has been there for 10 years"
So what?
For years, cars didn't even have seat belts at all. For years after that, the seat belts were not required...  They are now...

It has been brought to our attentiom as a potential security issue. We take security seriously. We have patched things that are inherently secure and are technically silly reports... But they were patched because we take our security seriously.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

live627


DenDen60

Quote from: Arantor on February 23, 2015, 04:50:45 PM
Yes, and the same power means if ever I had the ability to manage boards - and only boards - that same freedom would allow me to take over your account and trash your forum. No doubt you would then blame us for not fixing a security vulnerability, rather than 'allowing freedom'.
Arantor, Who would give you that power to manage boards?

In my forum, it would be me. It would be my responsibility, not SMF. Managing boards is a high level function, it is a management function. If I give this responsibility to someone else, I am responsible for the outcome. 

if I were in charge of a company and my techs would come up with this situation and ask me me what they should to I would ask the following question:

QuoteIf people use our forum software the way it was design to be used, is it a security threat?

As soon as the answer is NO, then it becomes a forum management issue.

In this case, I would ask is there something that we can do to protect our client further and ourself in the process, and still let that option there?

If it is possible, I would say ok let's do that. If not, I would revisit the issue to make sure that is is indeed a forum management issue and if it is, I woulds leave as it it, but include a warning sign.







Kindred

Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

DenDen60

Quote from: Kindred on February 24, 2015, 10:19:01 AM
except, you would be wrong.
That is your point of view. Let's conclude that we just have two different visions of where and how one has to intervene to protect the client from himself. I promote a vision where the forum administrator has to be held responsible and the SMF team prefers to go further down in the intervention path and exclude some options.




DenDen60

Please remember, that since I am not a programmer, this is my way to contribute to the development of SMF. I hope you like it.  :laugh:

Arantor

The problem is not that you are not a programmer. The problem is that you are trying to tell people who are decade-long veterans of programming how to solve a programming problem like you know what you're talking about.

Here's the problem: handing out board management is not necessarily an admin power. There are sites that have people who manage and create boards - but aren't admins. You pushing us to leave this choice in makes those sites vulnerable, under the guise of 'choice'.

This is a bug. This is a bug that should have been fixed years ago, in fact. I've been trying to get this one fixed for at least 3 years and each time I run into the problem that people abuse it in awkward ways - and the proper course of action is to be restrictive.

Here is ultimately the problem: are you qualified to make the choice that you're asking we let you have? You are, by your own admission, not a programmer. I would argue that someone who is not a programmer is not qualified to argue the case on this one.

DenDen60

Quote from: Arantor on February 24, 2015, 04:04:49 PM
Here's the problem: handing out board management is not necessarily an admin power. There are sites that have people who manage and create boards - but aren't admins. You pushing us to leave this choice in makes those sites vulnerable, under the guise of 'choice'.

Who gave this permission the SMF team or the individual Forum admin?

Quote from: Arantor on February 24, 2015, 04:04:49 PM
Here is ultimately the problem: are you qualified to make the choice that you're asking we let you have? You are, by your own admission, not a programmer. I would argue that someone who is not a programmer is not qualified to argue the case on this one.

Here is the real problem. Although it is a bug, there are no security threat until the ADMIN gives the permission to someone else to manage and create boards.  It is thus a management problem. I don't have to be a programmer to see this.

I do think thought that you are right in taking action. However I think that making it an option and notifying the ADMIN that using this option can create a security risk when they let somebody else manage their board, is a better approach then taking it away from everybody. It is a question of business process, not programming.




Arantor

No, non-programmers are not qualified to make an informed choice, because one of the necessary components of that "being informed" is that knowledge.

It also presumes there is no other exploit that could be used to get that permission, before elevation to account theft. There are no known holes but such a hole be found. At which point it long since ceased to be a business process.

If I did what you are suggesting at the place I work, I could expect a written warning or even dismissal for gross negligence.

DenDen60

Do you let non programmer install SMF?

If they are "responsible" enough to make the decision to install SMF, they are responsible enough  to manage it and make the appropriate decision as to what feature they want to use. With this philosophy in mind, which I think should be SMF's philosophy, no boss would reprimand or dismiss someone for negligence. 

Now, I have said enough on the matter.

Let's conclude that we just have two different visions of where and how one has to intervene to protect the client from himself. I promote a vision where the forum administrator is responsible to use the tool as he wish.

The rest is up to you.




WillyP

I think the idea of using pics in the description is a nice idea, but if it means making the forum less secure to do so... maybe not.

I don't want to spend all my time researching every technical aspect of running a forum. I trust the developers to make good security decisions.

And we've seen so many times the story of 'I let my buddy have admin rights to my forum and he took over and hacked my site now I can't login, blah blah blah' that it is a known issue. You need someone to help out, you think they are trust worthy, but things happen, people change and aren't always what we think they are in the first place.

So I really appreciate that you guys are making the forum secure, and constantly trying to improve, just as I am glad my 2001 Kawasaki has better brakes and better lighting than my '62 Triumph did.

Advertisement: