WoLeRiNe` Posted April 21, 2007 Posted April 21, 2007 Well2.3.x series will supported FULL html and Java in the Forum Desription?Because until now, i can't added the code as above;This is a forum phpBB! and it work been!!!But when i want added on our forum IPB, you see;This don't work completely, we can seen the codes <_< :( >_< :ermm: :devil: IPB When or 2.3.x will supported FULL HTML in the FORUM DESCRIPTION?
Guest Posted April 21, 2007 Posted April 21, 2007 Surely it would be more logical to just include the HTML in the description, and add the javascript into your skin with an onload event or something to trigger it? :)
Mat Barrie Posted April 21, 2007 Posted April 21, 2007 You know, if I were IPS I would deliberately NOT implement this suggestion, because seriously, you come off as a complete jerk talking like that.(Edit: Sorry Dan, not you. I meant TurXaliM with his demanding "do this!" and "phpBB is better than IPB because it opens me and my users to security vulnerabilities!" attitude)That said, this feature from digging through the code is a deliberate one. If you investigate the function xss_html_clean in sources/ipsclass.php, or the function forums_save in sources/action_admin/forums.php, you can revert this behaviour. Just be aware that doing so opens you to security vulnerabilities, and is (obviously) not supported.
WoLeRiNe` Posted April 21, 2007 Posted April 21, 2007 Surely it would be more logical to just include the HTML in the description, and add the javascript into your skin with an onload event or something to trigger it? :)I don't know the codes, i'm not a coder :)You know, if I were IPS I would deliberately NOT implement this suggestion, because seriously, you come off as a complete jerk talking like that.(Edit: Sorry Dan, not you. I meant TurXaliM with his demanding "do this!" and "phpBB is better than IPB because it opens me and my users to security vulnerabilities!" attitude)That said, this feature from digging through the code is a deliberate one. If you investigate the function xss_html_clean in sources/ipsclass.php, or the function forums_save in sources/action_admin/forums.php, you can revert this behaviour. Just be aware that doing so opens you to security vulnerabilities, and is (obviously) not supported.This is vulnerable? So for that, phpBB, vB etc... they can used the codes as like the image above :blink: ...?
Alex Posted April 21, 2007 Posted April 21, 2007 Inserting a javascript from a 3rd party that is not IPS's could be seen as a potential security risk.
Mat Barrie Posted April 21, 2007 Posted April 21, 2007 This is vulnerable? So for that, phpBB, vB etc... they can used the codes as like the image above :blink: ...?Indeed, as it is designed mostly to prevent the insertion of javascript located on servers outside your control (and easily modifiable by someone else). As I've told you how you can revert this to the phpBB-like behaviour, you're on your own of course - and I certainly don't think your request is something IPS should do in the core product. Full HTML is supported by the way, only SCRIPT is blocked.
Strange_Will Posted April 21, 2007 Posted April 21, 2007 Indeed, as it is designed mostly to prevent the insertion of javascript located on servers outside your control (and easily modifiable by someone else). As I've told you how you can revert this to the phpBB-like behaviour, you're on your own of course - and I certainly don't think your request is something IPS should do in the core product. Full HTML is supported by the way, only SCRIPT is blocked.And couldn't you use AJAX type code to steal the data needed to hijack sessions?No thanks, I'll keep my security. :)
Mat Barrie Posted April 22, 2007 Posted April 22, 2007 AJAX type code? No, not really. This is one of those rare occasions where AJAX is useless - the browsers will not allow an XMLHttpRequest object to access a domain other than the one the browser is on - not even a subdomain.
bfarber Posted April 23, 2007 Posted April 23, 2007 The idea is two fold -1) Allowing javascript there, users can add javascript like you are trying to do, which could open up your site to security issues (and subsequently, tickets to us saying how your site was hacked, which could take days to track down when something like this is the cause)2) If your ACP WAS hacked, a hacker could add js there that would take days to find - all the while collecting important user information.The goal with 2.2 (one of the goals) was layers of security. It's great that there are no known security vulnerabilities - but if one pops up, we wanted to have as many layers of protection as possible so that the damage that can be done is minimal.
WoLeRiNe` Posted April 23, 2007 Posted April 23, 2007 Ok i understand.Thanks all for the informations.
TCWT Posted April 23, 2007 Posted April 23, 2007 No wonder phpbb is so vulnerable and hacked so often :lol:
Strange_Will Posted April 23, 2007 Posted April 23, 2007 AJAX type code? No, not really. This is one of those rare occasions where AJAX is useless - the browsers will not allow an XMLHttpRequest object to access a domain other than the one the browser is on - not even a subdomain.Ah yes, I keep forgetting about the cross-site scripting things in place.Though can't you just do a silent redirect in the background or something? pop a new window, direct it sending the data in a GET command? (Last time I checked doing navigate() commands weren't protected by cross site scripting IIRC)Anyway it's iffy stuff >< I'd rather it not float around.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.