Suggestion: Allow full HTML

.Ian · January 29, 2010

If HTML is enabled by the site admin for a particular group, then full html without limitations should be allowed.

IMHO it is wrong that IPB can determine what is allowable and what is not.

If IPB wishes to control what is used, then perhaps a 'safe' HTML as well as an open html option.

For me and my users the inability to run scripts is having a major impact - sadly we did not test the ability to run scripts in IPB before switching, if I had then I might not have done as it is a major limitation (we use a third party site that supplies us with automated data in the form of scripts).

Thanks.

Michael · January 29, 2010

The problem with this is that allowing anything is a big security risk. Those scripts want to allow might be benign, but others are not. If we added the ability for this, then those who don't fully understand the risks can get their board (or worse) wrecked, and then it's up to us to clean up the mess.

.Ian · January 29, 2010

Sounds like censorship :(

Surely it is a decision of admins to decide what is posted to their forums, not a decision for IPS to decide.

What right does IPS have to control data?

(not aimed at you personally Michael, but at IPS)

Matt · January 29, 2010

This is a delicate issue. It's not about "controlling data". You have the source file on your server and the ability to change it.

We feel that sand boxing some HTML is the best way to ensure security and integrity of the webpage. You are welcome to modify the code to allow this or suggest that someone develops a modification. It wouldn't be too complex.

Ultimately, we have to make a design decision for the 'out of the box' install that serves the best interests of the 'average' user.

.Ian · January 29, 2010

But if you do not allow me or my users with my full authority to post scripts, then you are controlling data.

Had you have mentioned beforehand that you restricted HTML from being posted in 'HTML' format, then I might not have switched as effectively it restricted us from posting tables, results, fixtures etc., which for a football site is fairly critical.

However I also accept that we should have tried this within the trial version. But the CP says 'HTML' and not 'restricted HTML' which is more accurate, so I have no reason to suspect you restricted HTML.

The daft thing is that I could obviously post this in a header or footer, so why not in the forums?

I have even asked for details on where you strip out the script, but had zero co-operation as to a viable solution - hence my request to allow full HTML. (Michael did post a work around for one script, but that is of no use for multiple scripts).

And yes, I do feel strongly about something that affects both myself and my users.

Michael · January 29, 2010

Had you have mentioned beforehand that you restricted HTML from being posted in 'HTML' format, then I might not have switched as effectively it restricted us from posting tables, results, fixtures etc., which for a football site is fairly critical.

You can post tables when making an HTML post. I do it on my own site. What we try and clean is stuff like javascript code which can be used maliciously. Pure HTML, without stuff like dynamic code, is not restricted.

.Ian · January 29, 2010

Sadly tables always show at 100%, if you try and limit the width then this get's ignored.

So it is not just scripts that IPS are banning.

Michael · January 29, 2010

Just wrap it in a <div> that defines the width:

http://forums.codersrefuge.com/topic/948-im-tutorials-101/page__view__findpost__p__3421

That Purchase box is a table wrapped in a 480px <div>.

Charles · January 29, 2010

As Matt pointed out we are not forcing you we are are just finding a common denominator that works for 99% of our customers. If you personally have a need to run scripts then, as Matt said, you can disable the code in IPB that checks for this. As for things like table widths and stuff it's just inheriting the style from a skin and you can over-ride that as Michael pointed out.

We simply cannot have a setting for every possible scenario that every possible customer might want to use the software for. Your situation is unique and requires a unique resolution.

Mark · January 29, 2010

Ian,

admin/sources/classes/bbcode/core.php

Find:

public function checkXss( $txt='', $fixScript=false ) {

Add below:

return $txt;

And don't send a support ticket when you get hacked ;)

.Ian · January 29, 2010

Thanks - sadly it didn't make any difference.

Ryan H. · January 29, 2010

Ian,

It sounds to me like your problems are more related to the CSS styles imposed on your code than the HTML actually being restricted. There is no restriction on what HTML you can use, except that any dynamic elements [that is, Javascript] are removed or invalidated for your own protection. There is absolutely nothing in IPB that says you shouldn't be able to make a normal-sized table--it's just a consequence of how the skin works, and the same thing could happen anywhere, on absolutely any forum system.

That said: You can easily override the CSS styles, use workarounds like Michael's, or even tweak the skin so that such problems don't happen in the first place.

.Ian · January 29, 2010

Thanks - I meant the script rather than the table (which I am sure will work fine)

I guess having used scripts on forums for years it is frustrating to suddenly be told you cannot use them.

.Ian · February 1, 2010

I have made a post at http://community.invisionpower.com/topic/303706-how-can-i-allow-scripts/ to try and find out how to do this, as the solution above did not work.

Many thanks for the responses anyway.

Robulosity2 · February 1, 2010

I've responded to your post there.. That being said, IPB is not controlling your data, you can put what ever you please on it.. They're just limiting their rendering capabilities to specific ways.. They offer a secure patched source code, a huge percentage of people who use IP Board are not "web gurus" and mainly just run sites for their own little hobbiest homes online so the product has to be generalized. You're essentially asking IP Board to make you secure, but allow you to let your users do what ever they want and post anything they want including malicious scripts while being able to run to them when you get hacked ;)

There are also Mods that allow you to insert Ad's etc into various area's of your site that will support full HTML

You can also insert iframe tags with div etc into the wrapper or variour other template bits..

.Ian · February 1, 2010

er no...

All I am asking is for those who can use HTML (i.e. me ) to be allowed to post scripts. I am not asking for my members to be able to post scripts - they cannot post in html for the same reason. Scripts would only be postable by those who can use HTML and we are only talking about a script from one site - but sadly the variables change too many times.

To echo one of my staff members 'Why on earth did you switch to IPB if they restrict your posting? Wouldn't it have been better using VB or staying with UBB?' To them all they see is the inability to see data updated by a third party. With comments like that, and the restrictions on who can post in html I need to find a solution.

But thank you anyway for your response. :)

February 2, 2010

Instead of doing this with HTML posts, which frankly, regardless of opinion, is not a good idea... Could this not be done with a custom BBCode? You could set one up like so:

[script]http://www.somesite.com/js/filetoinclude.js[/script] and set it to only be allowed by the Admin user group.

Gets round the problem without adding a massive security hole...

.Ian · February 2, 2010

Thanks Dan - however I have so many variations it is not really an option.

As mentioned I will take the full risk - but sadly any changes made to the scripts is not having an effect on posts, so either I am doing something wrong (so they do not take effect) or my changes are simply wrong.

I guess my tone has come across as argumentative - so if that was the case my apologies.

I am just trying to get back what we used to have with our previous software.

teraßyte · February 2, 2010

Using a custom plugin file attached to the tag [script] or something else you can accomplish that.

February 2, 2010

Thanks Dan - however I have so many variations it is not really an option.

As mentioned I will take the full risk - but sadly any changes made to the scripts is not having an effect on posts, so either I am doing something wrong (so they do not take effect) or my changes are simply wrong.

I guess my tone has come across as argumentative - so if that was the case my apologies.

I am just trying to get back what we used to have with our previous software.

I don't understand what you can't achieve with a BBCode that you want? Give us some examples and I'll give you a solution. :)

.Ian · February 2, 2010

Thank you.


<script type="text/javascript" src="http://www.footballwebpages.co.uk/attendances.js?id=295&amp;comp=1&amp;links=0"></script>

<script type="text/javascript" src="http://www.footballwebpages.co.uk/attendances.js?id=295&amp;team=147&amp;type=2&amp;links=0"></script>

<script type="text/javascript" src="http://www.footballwebpages.co.uk/formGuide.js?id=295&amp;team=230&amp;links=0"></script>

<script type="text/javascript" src="http://www.footballwebpages.co.uk/formGuide.js?id=295&amp;comp=8&amp;links=0"></script>

<script type="text/javascript" src="http://www.footballwebpages.co.uk/progress.js?id=295&amp;team=1&amp;links=0"></script>

<script type="text/javascript" src="http://www.footballwebpages.co.uk/league.js?id=295&amp;comp=1&amp;links=0"></script>

<script type="text/javascript" src="http://www.footballwebpages.co.uk/league.js?id=295&amp;team=147&amp;links=0"></script>

<script type="text/javascript" src="http://www.footballwebpages.co.uk/matches.js?id=295&amp;team=147&amp;fixtures=6&amp;results=6&amp;links=0"></script>

<script type="text/javascript" src="http://www.footballwebpages.co.uk/matches.js?id=295&amp;team=147&amp;links=0"></script>

<script type="text/javascript" src="http://www.footballwebpages.co.uk/matches.js?id=295&amp;comp=11&amp;links=0"></script>

<script type="text/javascript" src="http://www.footballwebpages.co.uk/matches.js?id=295&amp;comp=11&amp;fixtures=6&amp;results=1&amp;links=0"></script>

etc... The team / comp numbers can vary as can other variables.

Thank you :)

February 2, 2010

So what's to stop you just having a generic script bbcode? Like so:

[script]http://www.footballw...p=1&links=0[/script]
[script]http://www.footballw...e=2&links=0[/script]
[script]http://www.footballw...230&links=0[/script]
[script]http://www.footballw...p=8&links=0[/script]
[script]http://www.footballw...m=1&links=0[/script]
[script]http://www.footballw...p=1&links=0[/script]
[script]http://www.footballw...147&links=0[/script]
[script]http://www.footballw...s=6&links=0[/script]
[script]http://www.footballw...147&links=0[/script]
[script]http://www.footballw...=11&links=0[/script]
[script]http://www.footballw...s=1&links=0[/script]

You'd achieve exactly the same end result, but only allow that one way to use scripts on the page, meaning the overall XSS protection is not removed.

I've attached an example BBCode export that implements the above. You should restrict it to only administrators and only allow it's use in certain forums, if you desire.

.Ian · February 2, 2010

Thank you :)

It displays the script fine on preview - but when posted, I simply see the [script]whatever[/script]

February 2, 2010

Curses. I guess the XSS filtering must come after the BBCode processing. I shall have a looksie.

.Ian · February 2, 2010

no worries - will await your thoughts :)

Thanks for your help :)

Invision Community 5: Beta testing and latest updates

Invision Community 4: A more professional report center

Invision Community 5: A video walkthrough creating a custom theme and homepage

Invision Community 5: Page Builder

Suggestion: Allow full HTML

Recommended Posts

.Ian

Michael

.Ian

Matt

.Ian

Michael

.Ian

Michael

Charles

Mark

.Ian

Ryan H.

.Ian

.Ian

Robulosity2

.Ian

Guest

.Ian

teraßyte

Guest

.Ian

Guest

.Ian

Guest

.Ian

Archived

Recently Browsing 0 members

More