Invision Community 4: SEO, prepare for v5 and dormant account notifications Matt November 11, 2024Nov 11
Posted September 9, 20159 yr Hello,how can I prevent that users (or better a usergroup) can use all the CSS they want? On my site guests are allowed to post. In the good old BBCode era it was easy to disallow BBCode for guests but now they can use HTML and CSS to modify content (they can hide text and URLs if they set background and text color to the same as the page background color (just an example)).In the past I only had to moderate content but I also have to moderate style. This is really annoying.... or they can do this:
September 9, 20159 yr Guests should not be able to post HTML. You can disable this by going to ACP -> Members -> Groups -> edit guests -> Content -> disable Can post HTML?
September 9, 20159 yr It would basically need artificial intelligence to decide between wanted and unwanted styling. We could certain strip out all kinds of CSS statements, but those same statements can be needed in the next post and break the layout or confuse the user when they are stripped out.
September 9, 20159 yr Author Guests should not be able to post HTML. You can disable this by going to ACP -> Members -> Groups -> edit guests -> Content -> disable Can post HTML? They can. Of course not everything is possible but most of CSS and basic HTML is possible. Just let me referring here: http://ips41preview.invisionpower-staging.com/topic/275-testing-hidden-mentions/ This is possible because we now use a HTML editor (CKEditor) and not a simple textarea and post parsed BBCodes.
September 9, 20159 yr Author In the first post I just typed a single space and set the font size with CSS to 72000px. Even if you (as admin) force pasting as plain text and remove most of the editor buttons, I can still (re)use HTML and CSS in browser console before submitting the post. It would basically need artificial intelligence to decide between wanted and unwanted styling. We could certain strip out all kinds of CSS statements, but those same statements can be needed in the next post and break the layout or confuse the user when they are stripped out. On my site guests are not allowed to style their content. They are not allowed to post images. And they are not allowed to post links.But with IPS I have to control over it. They can do what they want.
September 9, 20159 yr Maybe the post filter needs some special rules for things like font size, to not allow things like above
September 9, 20159 yr In the first post I just typed a single space and set the font size with CSS to 72000px. Even if you (as admin) force pasting as plain text and remove most of the editor buttons, I can still (re)use HTML and CSS in browser console before submitting the post.Yes, we get this. You have posted about this many times already. ;-)But if people really want to break posts like this, they could do that in the past as well. The example you showed here could always be achieved by simply posting empty lines. So yes, its more a matter of moderation than of filtering.
September 9, 20159 yr Why bothering controlling and preventing stuff by annoying people, just warn/ban them. Make a warn reason "Wasting your and my time doing annoying stuff in your content".
September 9, 20159 yr Author But if people really want to break posts like this, they could do that in the past as well.No. As I said I disabled the usage of BBCode, images and links for guests.By the way: It also should not possible to modify system style (of quotes, mentions, code block layout, ...). But as you can see, I modified the quote block above. As admin I have no global control of site style. Why bothering controlling and preventing stuff by annoying people, just warn/ban them. Make a warn reason "Wasting your and my time doing annoying stuff in your content".How can I warn or ban a guest?
September 9, 20159 yr No. Yes. You made a visually long empty post as an example. That could always be done. Just as posting 10000 words of nonsense text or porn images. Just because it can be done, doesn’t mean that the system needs to prevent it technically.
September 9, 20159 yr Author With my example I just wanted to demonstrate how to break the mobile layout. Sorry for confusing.
September 10, 20159 yr Author By the way: At the moment I create a browser addon for Chrome and Firefox so everyone can type HTML and CSS easily on all IPS 4.x sites with CKeditor. Detection of a IPS site and implant the HTML button to editor works fine at the moment on DIV embedded CKEditor (since IPS 4.1).
September 10, 20159 yr Management Remember that the PHP text parser will clean a lot of the HTML up. We use HTMLPurifier to remove unwanted styles, javascript, etc.
Archived
This topic is now archived and is closed to further replies.