Jump to content

Suggestion: Allow full HTML


.Ian

Recommended Posts

If HTML is enabled by the site admin for a particular group, then full html without limitations should be allowed.

IMHO it is wrong that IPB can determine what is allowable and what is not.

If IPB wishes to control what is used, then perhaps a 'safe' HTML as well as an open html option.

For me and my users the inability to run scripts is having a major impact - sadly we did not test the ability to run scripts in IPB before switching, if I had then I might not have done as it is a major limitation (we use a third party site that supplies us with automated data in the form of scripts).

Thanks.

Link to comment
Share on other sites

The problem with this is that allowing anything is a big security risk. Those scripts want to allow might be benign, but others are not. If we added the ability for this, then those who don't fully understand the risks can get their board (or worse) wrecked, and then it's up to us to clean up the mess.

Link to comment
Share on other sites

Sounds like censorship :(

Surely it is a decision of admins to decide what is posted to their forums, not a decision for IPS to decide.

What right does IPS have to control data?

(not aimed at you personally Michael, but at IPS)

Link to comment
Share on other sites

  • Management

This is a delicate issue. It's not about "controlling data". You have the source file on your server and the ability to change it.

We feel that sand boxing some HTML is the best way to ensure security and integrity of the webpage. You are welcome to modify the code to allow this or suggest that someone develops a modification. It wouldn't be too complex.

Ultimately, we have to make a design decision for the 'out of the box' install that serves the best interests of the 'average' user.

Link to comment
Share on other sites

But if you do not allow me or my users with my full authority to post scripts, then you are controlling data.

Had you have mentioned beforehand that you restricted HTML from being posted in 'HTML' format, then I might not have switched as effectively it restricted us from posting tables, results, fixtures etc., which for a football site is fairly critical.

However I also accept that we should have tried this within the trial version. But the CP says 'HTML' and not 'restricted HTML' which is more accurate, so I have no reason to suspect you restricted HTML.

The daft thing is that I could obviously post this in a header or footer, so why not in the forums?

I have even asked for details on where you strip out the script, but had zero co-operation as to a viable solution - hence my request to allow full HTML. (Michael did post a work around for one script, but that is of no use for multiple scripts).

And yes, I do feel strongly about something that affects both myself and my users.

Link to comment
Share on other sites


Had you have mentioned beforehand that you restricted HTML from being posted in 'HTML' format, then I might not have switched as effectively it restricted us from posting tables, results, fixtures etc., which for a football site is fairly critical.


You can post tables when making an HTML post. I do it on my own site. What we try and clean is stuff like javascript code which can be used maliciously. Pure HTML, without stuff like dynamic code, is not restricted.
Link to comment
Share on other sites

  • Management

As Matt pointed out we are not forcing you we are are just finding a common denominator that works for 99% of our customers. If you personally have a need to run scripts then, as Matt said, you can disable the code in IPB that checks for this. As for things like table widths and stuff it's just inheriting the style from a skin and you can over-ride that as Michael pointed out.

We simply cannot have a setting for every possible scenario that every possible customer might want to use the software for. Your situation is unique and requires a unique resolution.

Link to comment
Share on other sites

Ian,

It sounds to me like your problems are more related to the CSS styles imposed on your code than the HTML actually being restricted. There is no restriction on what HTML you can use, except that any dynamic elements [that is, Javascript] are removed or invalidated for your own protection. There is absolutely nothing in IPB that says you shouldn't be able to make a normal-sized table--it's just a consequence of how the skin works, and the same thing could happen anywhere, on absolutely any forum system.

That said: You can easily override the CSS styles, use workarounds like Michael's, or even tweak the skin so that such problems don't happen in the first place.

Link to comment
Share on other sites

I've responded to your post there.. That being said, IPB is not controlling your data, you can put what ever you please on it.. They're just limiting their rendering capabilities to specific ways.. They offer a secure patched source code, a huge percentage of people who use IP Board are not "web gurus" and mainly just run sites for their own little hobbiest homes online so the product has to be generalized. You're essentially asking IP Board to make you secure, but allow you to let your users do what ever they want and post anything they want including malicious scripts while being able to run to them when you get hacked ;)

There are also Mods that allow you to insert Ad's etc into various area's of your site that will support full HTML

You can also insert iframe tags with div etc into the wrapper or variour other template bits..

Link to comment
Share on other sites

er no...

All I am asking is for those who can use HTML (i.e. me ) to be allowed to post scripts. I am not asking for my members to be able to post scripts - they cannot post in html for the same reason. Scripts would only be postable by those who can use HTML and we are only talking about a script from one site - but sadly the variables change too many times.

To echo one of my staff members 'Why on earth did you switch to IPB if they restrict your posting? Wouldn't it have been better using VB or staying with UBB?' To them all they see is the inability to see data updated by a third party. With comments like that, and the restrictions on who can post in html I need to find a solution.

But thank you anyway for your response. :)

Link to comment
Share on other sites

Instead of doing this with HTML posts, which frankly, regardless of opinion, is not a good idea... Could this not be done with a custom BBCode? You could set one up like so:

[script]http://www.somesite.com/js/filetoinclude.js[/script] and set it to only be allowed by the Admin user group.

Gets round the problem without adding a massive security hole...

Link to comment
Share on other sites

Thanks Dan - however I have so many variations it is not really an option.

As mentioned I will take the full risk - but sadly any changes made to the scripts is not having an effect on posts, so either I am doing something wrong (so they do not take effect) or my changes are simply wrong.

I guess my tone has come across as argumentative - so if that was the case my apologies.

I am just trying to get back what we used to have with our previous software.

Link to comment
Share on other sites


Thanks Dan - however I have so many variations it is not really an option.



As mentioned I will take the full risk - but sadly any changes made to the scripts is not having an effect on posts, so either I am doing something wrong (so they do not take effect) or my changes are simply wrong.



I guess my tone has come across as argumentative - so if that was the case my apologies.



I am just trying to get back what we used to have with our previous software.




I don't understand what you can't achieve with a BBCode that you want? Give us some examples and I'll give you a solution. :)
Link to comment
Share on other sites

Thank you.


<script type="text/javascript" src="http://www.footballwebpages.co.uk/attendances.js?id=295&amp;comp=1&amp;links=0"></script>

<script type="text/javascript" src="http://www.footballwebpages.co.uk/attendances.js?id=295&amp;team=147&amp;type=2&amp;links=0"></script>

<script type="text/javascript" src="http://www.footballwebpages.co.uk/formGuide.js?id=295&amp;team=230&amp;links=0"></script>

<script type="text/javascript" src="http://www.footballwebpages.co.uk/formGuide.js?id=295&amp;comp=8&amp;links=0"></script>

<script type="text/javascript" src="http://www.footballwebpages.co.uk/progress.js?id=295&amp;team=1&amp;links=0"></script>

<script type="text/javascript" src="http://www.footballwebpages.co.uk/league.js?id=295&amp;comp=1&amp;links=0"></script>

<script type="text/javascript" src="http://www.footballwebpages.co.uk/league.js?id=295&amp;team=147&amp;links=0"></script>

<script type="text/javascript" src="http://www.footballwebpages.co.uk/matches.js?id=295&amp;team=147&amp;fixtures=6&amp;results=6&amp;links=0"></script>

<script type="text/javascript" src="http://www.footballwebpages.co.uk/matches.js?id=295&amp;team=147&amp;links=0"></script>

<script type="text/javascript" src="http://www.footballwebpages.co.uk/matches.js?id=295&amp;comp=11&amp;links=0"></script>

<script type="text/javascript" src="http://www.footballwebpages.co.uk/matches.js?id=295&amp;comp=11&amp;fixtures=6&amp;results=1&amp;links=0"></script>




etc... The team / comp numbers can vary as can other variables.

Thank you :)

Link to comment
Share on other sites

So what's to stop you just having a generic script bbcode? Like so:


[script]http://www.footballw...p=1&amp;links=0[/script]
[script]http://www.footballw...e=2&amp;links=0[/script]
[script]http://www.footballw...230&amp;links=0[/script]
[script]http://www.footballw...p=8&amp;links=0[/script]
[script]http://www.footballw...m=1&amp;links=0[/script]
[script]http://www.footballw...p=1&amp;links=0[/script]
[script]http://www.footballw...147&amp;links=0[/script]
[script]http://www.footballw...s=6&amp;links=0[/script]
[script]http://www.footballw...147&amp;links=0[/script]
[script]http://www.footballw...=11&amp;links=0[/script]
[script]http://www.footballw...s=1&amp;links=0[/script]

You'd achieve exactly the same end result, but only allow that one way to use scripts on the page, meaning the overall XSS protection is not removed.

I've attached an example BBCode export that implements the above. You should restrict it to only administrators and only allow it's use in certain forums, if you desire.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...