Why is JS parsed from forum description?

[chasz]

i tried to get a script running from forum description, but the rendered html is above.

so why is JS being parsed out? or is there a switch?

onclick="

[bfarber]

For security reasons our parsing classes strip out javascript.

[Alahmnat]

I think I'm running into the same problem with my spoiler tag from IPB 2.3.6, which uses JS to swap the display attribute of a span element within the post between "none" and "block". I've already tried replacing the new spoiler bbcode with the old one and rebuilding the post content thinking it would detect the old BBCode and parse the HTML back to its original BBCoded form, but that just borked everything even further, as now I've got

[url="javascript:void(0)"] [/url]

 wrapped around the "click here to view a spoiler" text, and the actual spoiler is inaccessible. Is there something else I should have done first?

[chasz]

ok so where is full html really full html?

cant you do a check on admin groups LOL, html use is like per forum and per user......if admin messes up the forums, the its too bad lol

[bfarber]

You cannot submit javascript through any IPB editors, period.

You can work around this if it's necessary. In your rules do something like



And then somewhere in the skin add

$('forumRulesLink').observe( 'click', function(e) { Event.stop(e); // Here is where you put the JS you were going to do onclick before }); </script>

But javascript help is not part of our support I'm afraid. ;)

<a href='#' id='forumRulesLink'>Link here</a>

<script type='text/javascript'>

[chasz]

the forum rules is the only place?? WTF LOL

how do i get rid of this function? the whole package relies on js, why the heck do u disallow it?

[The Pi]

He was just posting an example. The ID can be anything as long as it is set in the JS

[bfarber]

The forum rules is not the only place. As I already said, ANYWHERE that uses the editor strips javascript.

If you require support or help removing functionality (modifying the software) you will need to use the peer to peer resource forums.

[chasz]

hate to sound like a noob, but where is this parser rule set?lol

[Michael]

Don't try to remove it. If you stop the editor from stripping out javascript (that's not called "parsing" it, by the way) then people will be able to post javascript code on your board, and all hell will likely break loose. It's a major security risk.

[chasz]

but why "parse"/strip the forum descriptions when only admin can get in?

[bfarber]

You seem to be missing the underlying point.

It is the same editor used in the ACP as the front end. If you edit the bbcode library, it will not only affect the acp, it affects the front end as well. It is the same code. One file. Used in both ACP and front end.

If you edit the file to remove the rules that strip out javascript, users will be able to submit the content unfiltered when making posts. Now, if they don't have HTML permissions they can't create the full tags of course, but that's not to stop them from injecting XSS via onerror, onclick, etc. event handlers which WERE checked for and stripped, but no longer are since you removed that code.

If you are determined to do this, however, no one can stop you - but you need to post in the resources forums. This is no longer feedback for IPB. :)