Jump to content

2.3.x series will supported FULL html and Java in the Forum Desription


Guest WoLeRiNe`

Recommended Posts

Posted

Well
2.3.x series will supported FULL html and Java in the Forum Desription?
Because until now, i can't added the code as above;

oktw5.png
This is a forum phpBB! and it work been!!!





But when i want added on our forum IPB, you see;

nokbx3.png

This don't work completely, we can seen the codes <_< :( >_< :ermm: :devil:



IPB When or 2.3.x will supported FULL HTML in the FORUM DESCRIPTION?

Posted

Surely it would be more logical to just include the HTML in the description, and add the javascript into your skin with an onload event or something to trigger it? :)

Posted

You know, if I were IPS I would deliberately NOT implement this suggestion, because seriously, you come off as a complete jerk talking like that.

(Edit: Sorry Dan, not you. I meant TurXaliM with his demanding "do this!" and "phpBB is better than IPB because it opens me and my users to security vulnerabilities!" attitude)

That said, this feature from digging through the code is a deliberate one. If you investigate the function xss_html_clean in sources/ipsclass.php, or the function forums_save in sources/action_admin/forums.php, you can revert this behaviour. Just be aware that doing so opens you to security vulnerabilities, and is (obviously) not supported.

Posted

Surely it would be more logical to just include the HTML in the description, and add the javascript into your skin with an onload event or something to trigger it? :)

I don't know the codes, i'm not a coder :)



You know, if I were IPS I would deliberately NOT implement this suggestion, because seriously, you come off as a complete jerk talking like that.



(Edit: Sorry Dan, not you. I meant TurXaliM with his demanding "do this!" and "phpBB is better than IPB because it opens me and my users to security vulnerabilities!" attitude)



That said, this feature from digging through the code is a deliberate one. If you investigate the function xss_html_clean in sources/ipsclass.php, or the function forums_save in sources/action_admin/forums.php, you can revert this behaviour. Just be aware that doing so opens you to security vulnerabilities, and is (obviously) not supported.

This is vulnerable? So for that, phpBB, vB etc... they can used the codes as like the image above :blink: ...?
Posted

This is vulnerable? So for that, phpBB, vB etc... they can used the codes as like the image above :blink: ...?



Indeed, as it is designed mostly to prevent the insertion of javascript located on servers outside your control (and easily modifiable by someone else). As I've told you how you can revert this to the phpBB-like behaviour, you're on your own of course - and I certainly don't think your request is something IPS should do in the core product. Full HTML is supported by the way, only SCRIPT is blocked.
Posted

Indeed, as it is designed mostly to prevent the insertion of javascript located on servers outside your control (and easily modifiable by someone else). As I've told you how you can revert this to the phpBB-like behaviour, you're on your own of course - and I certainly don't think your request is something IPS should do in the core product. Full HTML is supported by the way, only SCRIPT is blocked.



And couldn't you use AJAX type code to steal the data needed to hijack sessions?

No thanks, I'll keep my security. :)
Posted

AJAX type code? No, not really. This is one of those rare occasions where AJAX is useless - the browsers will not allow an XMLHttpRequest object to access a domain other than the one the browser is on - not even a subdomain.

Posted

The idea is two fold -

1) Allowing javascript there, users can add javascript like you are trying to do, which could open up your site to security issues (and subsequently, tickets to us saying how your site was hacked, which could take days to track down when something like this is the cause)

2) If your ACP WAS hacked, a hacker could add js there that would take days to find - all the while collecting important user information.

The goal with 2.2 (one of the goals) was layers of security. It's great that there are no known security vulnerabilities - but if one pops up, we wanted to have as many layers of protection as possible so that the damage that can be done is minimal.

Posted

AJAX type code? No, not really. This is one of those rare occasions where AJAX is useless - the browsers will not allow an XMLHttpRequest object to access a domain other than the one the browser is on - not even a subdomain.


Ah yes, I keep forgetting about the cross-site scripting things in place.

Though can't you just do a silent redirect in the background or something? pop a new window, direct it sending the data in a GET command? (Last time I checked doing navigate() commands weren't protected by cross site scripting IIRC)

Anyway it's iffy stuff >< I'd rather it not float around.

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...