News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

Running HTML/PHP Code/Scripts/Templates BBC-Code Suggestion

Started by John Magdy Lotfy, August 07, 2017, 10:07:28 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

John Magdy Lotfy

August 07, 2017, 10:07:28 AM
Hello Everybody, it 'd be great to see a new BBC-Code which we might use it to Run a PHP/HTML code/script not only showing the code on the post but to run it
For example:
Code Select
[ rhtml ]<a href="https://www.simplemachines.org" title="i have added r near to html tag to name it as running html and its the same as rphp = running php">Click me</a>[ rhtml ]

Illori

#1
August 07, 2017, 10:08:34 AM
do you want to get hacked? this is a great way to get hacked.

John Magdy Lotfy

#2
August 07, 2017, 10:11:01 AM
Quote from: Illori on August 07, 2017, 10:08:34 AM
do you want to get hacked? this is a great way to get hacked.
what do you mean ??? (if you mean that by using some php scripts to hack my own Web server so by adding a Feature to Customize which PHP/HTML Functions are allowed or disallowed the proplem could be resolved)

Antes

#3
August 07, 2017, 10:26:26 AM
I agree with Illori its really really edgy situation, I never ever see it coming as core feature good luck with mod request :)

Arantor

#4
August 07, 2017, 03:37:50 PM
Quote from: John Magdy Lotfy on August 07, 2017, 10:11:01 AM
Quote from: Illori on August 07, 2017, 10:08:34 AM
do you want to get hacked? this is a great way to get hacked.
what do you mean ??? (if you mean that by using some php scripts to hack my own Web server so by adding a Feature to Customize which PHP/HTML Functions are allowed or disallowed the proplem could be resolved)

Whatever system you come up with to check what's allowed, I guarantee you I can figure out a way past it.

As for HTML, there is the HTML bbcode which is admin only because if it weren't, I could use it as a regular member to steal your cookies. And before you say that you'd only allow some HTML, again, whatever you come up with, I could find a way through it.

Bad idea all round, really. It's why forum bbcode even exists, because HTML is hard to secure when users can add their own content.

青山 素子

#5
August 08, 2017, 01:26:14 AM
While you can try whitelisting rather than blacklisting, allowing any kind of raw PHP in a forum post is a serious security issue. I can't see this ever becoming a core feature due to just how difficult it is to implement safely, if such a thing is even possible.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.

Arantor

#6
August 08, 2017, 02:42:14 AM
It isn't possible. There are way too many ways to get around even whitelists, when things like variable functions come into play.

Steve

#7
August 08, 2017, 07:54:22 AM
In other words John, it's not going to happen. Sorry.
DO NOT pm me for support!
Print
Go Up Pages1
User actions
Advertisement: