Jump to content

Why is JS parsed from forum description?


chasz

Recommended Posts

Posted



i tried to get a script running from forum description, but the rendered html is above.

so why is JS being parsed out? or is there a switch?

onclick="
Posted

I think I'm running into the same problem with my spoiler tag from IPB 2.3.6, which uses JS to swap the display attribute of a span element within the post between "none" and "block". I've already tried replacing the new spoiler bbcode with the old one and rebuilding the post content thinking it would detect the old BBCode and parse the HTML back to its original BBCoded form, but that just borked everything even further, as now I've got

[url="javascript:void(0)"] [/url]
 wrapped around the "click here to view a spoiler" text, and the actual spoiler is inaccessible. Is there something else I should have done first?
Posted

ok so where is full html really full html?

cant you do a check on admin groups LOL, html use is like per forum and per user......if admin messes up the forums, the its too bad lol

Posted

You cannot submit javascript through any IPB editors, period.

You can work around this if it's necessary. In your rules do something like



And then somewhere in the skin add

$('forumRulesLink').observe( 'click', function(e) { Event.stop(e); // Here is where you put the JS you were going to do onclick before }); </script>

But javascript help is not part of our support I'm afraid. ;)

<a href='#' id='forumRulesLink'>Link here</a>
<script type='text/javascript'>

Posted

the forum rules is the only place?? WTF LOL

how do i get rid of this function? the whole package relies on js, why the heck do u disallow it?

Posted

The forum rules is not the only place. As I already said, ANYWHERE that uses the editor strips javascript.

If you require support or help removing functionality (modifying the software) you will need to use the peer to peer resource forums.

Posted

Don't try to remove it. If you stop the editor from stripping out javascript (that's not called "parsing" it, by the way) then people will be able to post javascript code on your board, and all hell will likely break loose. It's a major security risk.

Posted

You seem to be missing the underlying point.

It is the same editor used in the ACP as the front end. If you edit the bbcode library, it will not only affect the acp, it affects the front end as well. It is the same code. One file. Used in both ACP and front end.

If you edit the file to remove the rules that strip out javascript, users will be able to submit the content unfiltered when making posts. Now, if they don't have HTML permissions they can't create the full tags of course, but that's not to stop them from injecting XSS via onerror, onclick, etc. event handlers which WERE checked for and stripped, but no longer are since you removed that code.

If you are determined to do this, however, no one can stop you - but you need to post in the resources forums. This is no longer feedback for IPB. :)

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...