• Welcome to Simple Machines Community Forum. Please login or sign up.

[html]-BBCode filters javascript

Started by qc, May 04, 2016, 09:57:29 PM

Previous topic - Next topic

qc

The [​html]-BBCode available to SMF administrators is very useful for quickly adding rich content to topics. As an administrator on my site, I would like to include a few scripts, too, but this seems not to work (only locally hosted scripts can be included via <script src="/local.js">). Attaching event handlers to HTML elements via onClick="..." is also not possible.

Is there a reason for denying administrators the ability to include remote or inline scripts as well as inline eventhandlers?
Playing quizduell? Having quizduell questions? Our german quizduell forum quizcommunity.de is looking for quiz freaks to come and play quizduell with us :)

nend

I don't think it is intentional but more of the parsing of the post message when it is submitted to the database. This is there for security purposes and it changes certain characters to make them safe. However in embedding HTML this may have some negative effects and put some limitations on what you can achieve with this tag.

Take for example my custom BBC here.
array(
'tag' => 'eval',
'type' => 'unparsed_content',
'content' => '$1',
'validate' => create_function('&$tag, &$data, $disabled', '
if (!isset($disabled[\'eval\'])) {
$data = str_replace(array("&#91;","&#93;"),array("[","]"),$data);
$data = @eval(str_replace(array("\r","\n","<br />","&nbsp;")," ",un_htmlspecialchars($data)));
} else {
$data = \'\';
}'),
'disabled_content' => '',
),
array(
'tag' => 'head',
'type' => 'unparsed_content',
'content' => '$1',
'validate' => create_function('&$tag, &$data, $disabled', '
if (!isset($disabled[\'head\'])) {
global $context;
$data = str_replace(array("&#91;","&#93;","<br />"),array("[","]","\r\n"),$data);
$context[\'ob_headers\'] .= str_replace(array("\r","&nbsp;")," ",un_htmlspecialchars($data));;
//$data = \'<script type="text/javascript">$("head").append("\'.html_entity_decode($data).\'");</script>\';
}
$data = \'\';
'),
'disabled_content' => '$1',
'block_level' => true,
),


Had to do a little processing to get this to work and it still doesn't work perfect. However I do know the limitations and can adjust. I can do some evals and anything more complicated I would have to include a external file, example, http://www.sicomm.us/t/53/.

However my case was on the more extreme side and to be on the safe side, whatever code is calling the function has to pass credentials to the BBC parser for the poster. Yeah, a little bit of source edits, but if no credentials then that BBC is off limits.

Don't use any of the code above because I didn't include the security part of it.  ;)

qc

Quote from: nend on May 04, 2016, 10:34:49 PMwhatever code is calling the function has to pass credentials to the BBC parser for the poster.
Haha, that's freaky ;D

Actually, I just found a way around the javascript restrictions by posting e.g.

[​html]<body onload="[/html][​html]alert(1)"></body>[/html]

which then evaluates to

<body onload="alert(1)"></body>

Also a bit freaky, though ???
Playing quizduell? Having quizduell questions? Our german quizduell forum quizcommunity.de is looking for quiz freaks to come and play quizduell with us :)

Kindred

I would't actually call this a bug, per say...   More of a limitation.

And one that most admins would never encounter, since most admins don't know diddly about JavaScript... (And,mi would argue that JavaScript really does not belong in posts)
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Advertisement: