Re: [RELEASE] bbcode_html (Allow html in post, reply, pm)

Yes, but not enough to hide the button. It is not problem...

It is also necessary to check a message for the presence of the tag [html]  and [/html] in the file post.php.

Re: [RELEASE] bbcode_html (Allow html in post, reply, pm)

Ok, maybe the script in the last version is secure enough, i don't know, what do you think ?
About security, i've seen that part in the script code :

//Removing possible attacks
          if (strpos($text, '<script>') !== false && strpos($text, '</script>') !== false )
                       {
                          $text = str_replace(array('<script>', '</script>'), ' ', $text);
                            }
                            elseif (strpos($text, '<body>') !== false && strpos($text, '</body>') !== false )
                       {
                          $text = str_replace(array('<body>', '</body>'), ' ', $text);
                            }
                            elseif (strpos($text, '<html>') !== false && strpos($text, '</html>') !== false )
                       {
                          $text = str_replace(array('<html>', '</html>'), ' ', $text);
                            }
                            elseif (strpos($text, '<head>') !== false && strpos($text, '</head>') !== false )
                       {
                          $text = str_replace(array('<head>', '</head>'), ' ', $text);
                            }
          elseif (strpos($text, '<script>') !== false)
                       {
                          $text = str_replace('<script>', ' ', $text);
                            }
          elseif (strpos($text, '</script>') !== false)
                       {
                          $text = str_replace('</script>', ' ', $text);
                            }
          elseif (strpos($text, 'text/javascript') !== false)
                       {
                          $text = str_replace('text/javascript', ' ', $text);
                            }
        elseif (strpos($text, '</head>') !== false)
                       {
                          $text = str_replace('</head>', ' ', $text);
                            }
         elseif (strpos($text, '</body>') !== false)
                       {
                          $text = str_replace('</body>', ' ', $text);
                            }
         elseif (strpos($text, '<head>') !== false)
                       {
                          $text = str_replace('<head>', ' ', $text);
                            }
         elseif (strpos($text, '<body>') !== false)
                       {
                          $text = str_replace('<body>', ' ', $text);
                            }
         elseif (strpos($text, '<html>') !== false)
                       {
                          $text = str_replace('<html>', ' ', $text);
                            }
         elseif (strpos($text, '</html>') !== false)
                       {
                          $text = str_replace('</html>', ' ', $text);
                            }

Is it safe enough like that ?

28 (edited by zetrader 2016-04-23 19:54)

Re: [RELEASE] bbcode_html (Allow html in post, reply, pm)

I've seen it is possible to put flash games into posts (a .swf works inside the post) with that extension, maybe it's not risky.
But i've made a bug of the forum trying the possibily of a javascript code, this sounds risky...
Just with that script inside a post (which is not risky script, just an effect on letters but it closed the topic, nobody could answer, and also closed the possibility of editing or deleting the post, so what about a risky javascript ?) :

<h2>
<script language="JavaScript1.2">

/*
Neon Lights Text
*/

var message="Welcome to JavaScript Kit!"
var neonbasecolor="gray"
var neontextcolor="yellow"
var flashspeed=100  //in milliseconds

///No need to edit below this line/////

var n=0
if (document.all||document.getElementById){
document.write('')
for (m=0;m<message.length;m++)
document.write('<span id="neonlight'+m+'">'+message.charAt(m)+'</span>')
document.write('')
}
else
document.write(message)

function crossref(number){
var crossobj=document.all? eval("document.all.neonlight"+number) : document.getElementById("neonlight"+number)
return crossobj
}

function neon(){

//Change all letters to base color
if (n==0){
for (m=0;m<message.length;m++)
//eval("document.all.neonlight"+m).style.color=neonbasecolor
crossref(m).style.color=neonbasecolor
}

//cycle through and change individual letters to neon color
crossref(n).style.color=neontextcolor

if (n<message.length-1)
n++
else{
n=0
clearInterval(flashing)
setTimeout("beginneon()",1500)
return
}
}

function beginneon(){
if (document.all||document.getElementById)
flashing=setInterval("neon()",flashspeed)
}
beginneon()


</script>
</h2>

If a javascript code can cause dysfonctions of the forum, i guess it would be better not allowing javascript in the html code.
EDIT : if i put "<script>" at the beginning it doesn't try to run the script, i guess the script could run because of the  "<script language="JavaScript1.2">" at the beginning of the script, a case that wasn't expected in the extension and let the script trying to run and cause dysfonctions.

29 (edited by PanBB.Ru 2017-04-25 20:25)

Re: [RELEASE] bbcode_html (Allow html in post, reply, pm)

I think it would be better to resolve any tags, but only for the administrator .

See how it's done here

There for HTML and script a separate field .