Jump to content

(SD) Full Profile CSS Customization


Spanner

Recommended Posts

%7Boption%7D



File Name: (SD) Full Profile CSS Customization

File Submitter: Spanner

File Submitted: 07 Jun 2013

File Category: Moderation Tools

Supported Versions: IP.Board 3.2.x, IP.Board 3.3.x, IP.Board 3.4.x



Author: Dawid Baruch (IPSBeyond.pl)

Opis: Hook pozwala na dostosowanie stylów CSS wyglądu profilu.
Description: Hook allows customization of CSS styles in profile view



here to download this file

Link to comment
Share on other sites

  • 8 months later...
  • 6 months later...
  • 2 months later...

If you add e.g. script,meta,a in settings I check in mod <script, <meta, <a in content which user entered. If I found tag I show error.

The blacklist isn't case sensitive, so let's say you put Script instead of script it will run the script so your blacklist is broken actually or has a easy exploit or security issue. All someone has to do is add a capital letter to the codes and they work completely fine making it a huge ass security risk and I want my five bucks back if that's the case.

Link to comment
Share on other sites

The blacklist isn't case sensitive, so let's say you put Script instead of script it will run the script so your blacklist is broken actually or has a easy exploit or security issue. All someone has to do is add a capital letter to the codes and they work completely fine making it a huge ass security risk and I want my five bucks back if that's the case.

​Perhaps you should have privately informed the mod author of possible security issues and then give them a chance to fix it (if it is indeed a real issue).

Link to comment
Share on other sites

  • 1 month later...

Is there a better description / photo of what this hook does?

it allows for your members to add any html code they like into their profiles including java and other codes. I think the original idea was to make it so members can edit the CSS but it has a basic code blacklist that doesn't even have all the harmful codes in it which could be a major problem to your users and it also is cap sensitive so even if you update the blacklist with all the codes to not allow someone to use such as java to harm someones computer they can simply just put a capital letter and there you go it works.

So overall it's not something I would invest my money into especially since I did and it's a major security risk to use on any live board.

Link to comment
Share on other sites

it allows for your members to add any html code they like into their profiles including java and other codes. I think the original idea was to make it so members can edit the CSS but it has a basic code blacklist that doesn't even have all the harmful codes in it which could be a major problem to your users and it also is cap sensitive so even if you update the blacklist with all the codes to not allow someone to use such as java to harm someones computer they can simply just put a capital letter and there you go it works.

So overall it's not something I would invest my money into especially since I did and it's a major security risk to use on any live board.

​Thanks.  Within the first two lines of your description, my thoughts were about security.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...