chasz Posted May 18, 2009 Share Posted May 18, 2009 i tried to get a script running from forum description, but the rendered html is above. so why is JS being parsed out? or is there a switch?onclick=" Link to comment Share on other sites More sharing options...
bfarber Posted May 18, 2009 Share Posted May 18, 2009 For security reasons our parsing classes strip out javascript. Link to comment Share on other sites More sharing options...
Alahmnat Posted May 18, 2009 Share Posted May 18, 2009 I think I'm running into the same problem with my spoiler tag from IPB 2.3.6, which uses JS to swap the display attribute of a span element within the post between "none" and "block". I've already tried replacing the new spoiler bbcode with the old one and rebuilding the post content thinking it would detect the old BBCode and parse the HTML back to its original BBCoded form, but that just borked everything even further, as now I've got [url="javascript:void(0)"] [/url] wrapped around the "click here to view a spoiler" text, and the actual spoiler is inaccessible. Is there something else I should have done first? Link to comment Share on other sites More sharing options...
chasz Posted May 18, 2009 Author Share Posted May 18, 2009 ok so where is full html really full html? cant you do a check on admin groups LOL, html use is like per forum and per user......if admin messes up the forums, the its too bad lol Link to comment Share on other sites More sharing options...
bfarber Posted May 18, 2009 Share Posted May 18, 2009 You cannot submit javascript through any IPB editors, period. You can work around this if it's necessary. In your rules do something like And then somewhere in the skin add $('forumRulesLink').observe( 'click', function(e) { Event.stop(e); // Here is where you put the JS you were going to do onclick before }); </script> But javascript help is not part of our support I'm afraid. ;)<a href='#' id='forumRulesLink'>Link here</a><script type='text/javascript'> Link to comment Share on other sites More sharing options...
chasz Posted May 19, 2009 Author Share Posted May 19, 2009 the forum rules is the only place?? WTF LOL how do i get rid of this function? the whole package relies on js, why the heck do u disallow it? Link to comment Share on other sites More sharing options...
The Pi Posted May 19, 2009 Share Posted May 19, 2009 He was just posting an example. The ID can be anything as long as it is set in the JS Link to comment Share on other sites More sharing options...
bfarber Posted May 19, 2009 Share Posted May 19, 2009 The forum rules is not the only place. As I already said, ANYWHERE that uses the editor strips javascript. If you require support or help removing functionality (modifying the software) you will need to use the peer to peer resource forums. Link to comment Share on other sites More sharing options...
chasz Posted May 19, 2009 Author Share Posted May 19, 2009 hate to sound like a noob, but where is this parser rule set?lol Link to comment Share on other sites More sharing options...
Michael Posted May 19, 2009 Share Posted May 19, 2009 Don't try to remove it. If you stop the editor from stripping out javascript (that's not called "parsing" it, by the way) then people will be able to post javascript code on your board, and all hell will likely break loose. It's a major security risk. Link to comment Share on other sites More sharing options...
chasz Posted May 19, 2009 Author Share Posted May 19, 2009 but why "parse"/strip the forum descriptions when only admin can get in? Link to comment Share on other sites More sharing options...
bfarber Posted May 19, 2009 Share Posted May 19, 2009 You seem to be missing the underlying point. It is the same editor used in the ACP as the front end. If you edit the bbcode library, it will not only affect the acp, it affects the front end as well. It is the same code. One file. Used in both ACP and front end. If you edit the file to remove the rules that strip out javascript, users will be able to submit the content unfiltered when making posts. Now, if they don't have HTML permissions they can't create the full tags of course, but that's not to stop them from injecting XSS via onerror, onclick, etc. event handlers which WERE checked for and stripped, but no longer are since you removed that code. If you are determined to do this, however, no one can stop you - but you need to post in the resources forums. This is no longer feedback for IPB. :) Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.