Jump to content

Why is JS parsed from forum description?


chasz

Recommended Posts

I think I'm running into the same problem with my spoiler tag from IPB 2.3.6, which uses JS to swap the display attribute of a span element within the post between "none" and "block". I've already tried replacing the new spoiler bbcode with the old one and rebuilding the post content thinking it would detect the old BBCode and parse the HTML back to its original BBCoded form, but that just borked everything even further, as now I've got

[url="javascript:void(0)"] [/url]
 wrapped around the "click here to view a spoiler" text, and the actual spoiler is inaccessible. Is there something else I should have done first?
Link to comment
Share on other sites

You cannot submit javascript through any IPB editors, period.

You can work around this if it's necessary. In your rules do something like



And then somewhere in the skin add

$('forumRulesLink').observe( 'click', function(e) { Event.stop(e); // Here is where you put the JS you were going to do onclick before }); </script>

But javascript help is not part of our support I'm afraid. ;)

<a href='#' id='forumRulesLink'>Link here</a>
<script type='text/javascript'>

Link to comment
Share on other sites

The forum rules is not the only place. As I already said, ANYWHERE that uses the editor strips javascript.

If you require support or help removing functionality (modifying the software) you will need to use the peer to peer resource forums.

Link to comment
Share on other sites

Don't try to remove it. If you stop the editor from stripping out javascript (that's not called "parsing" it, by the way) then people will be able to post javascript code on your board, and all hell will likely break loose. It's a major security risk.

Link to comment
Share on other sites

You seem to be missing the underlying point.

It is the same editor used in the ACP as the front end. If you edit the bbcode library, it will not only affect the acp, it affects the front end as well. It is the same code. One file. Used in both ACP and front end.

If you edit the file to remove the rules that strip out javascript, users will be able to submit the content unfiltered when making posts. Now, if they don't have HTML permissions they can't create the full tags of course, but that's not to stop them from injecting XSS via onerror, onclick, etc. event handlers which WERE checked for and stripped, but no longer are since you removed that code.

If you are determined to do this, however, no one can stop you - but you need to post in the resources forums. This is no longer feedback for IPB. :)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...