• Registered: 2006-09-10
  • Posts: 15

Topic: How come people can use HTML on my PunBB??

i've just realised that anybody can use HTML code on my forum!!   surely this isn't normal behaviour??

i haven't performed any mod's that enable such a feature..  but look:

http://www.staffordforum.com/viewtopic.php?id=124

as you can see, people are happily embedding youtube videos..  and elsewhere, someone used the <sub> </sub> subscript tags..

i'm running punbb 1.2.12 with the following mods:

style installer
private messaging
easy poll
easy custom smilies
calendar

has anyone seen this before?

  • Smartys
  • Former PunBB Developer
  • Offline
  • Registered: 2004-04-30
  • Posts: 7,844

Re: How come people can use HTML on my PunBB??

Have you updated parser.php? If not, upload a fresh copy

  • Registered: 2006-09-10
  • Posts: 15

Re: How come people can use HTML on my PunBB??

Smartys wrote:

Have you updated parser.php? If not, upload a fresh copy

yeah..  i can't remember for what reason, but i definitely modified it for one of the mod's i performed..  i think it was easy custom smilies..

what specifically in the parser.php might enable the use of HTML?

thanks for the speedy response, by the way smile

  • Jansson
  • Former PunBB Developer
  • Offline
  • From: Sweden
  • Registered: 2003-01-06
  • Posts: 856

Re: How come people can use HTML on my PunBB??

line 383 should prevent HTML:

$text = pun_htmlspecialchars($text);

5 Reply by dirtybobby (edited by dirtybobby 2006-10-19 23:27)

  • Registered: 2006-09-10
  • Posts: 15

Re: How come people can use HTML on my PunBB??

Jansson wrote:

line 383 should prevent HTML:

$text = pun_htmlspecialchars($text);

well that's definitely still in there..  copy and pasted direct from my parser.php:

function parse_message($text, $hide_smilies)
{
    global $pun_config, $lang_common, $pun_user;

    if ($pun_config['o_censoring'] == '1')
        $text = censor_words($text);

    // Convert applicable characters to HTML entities
    $text = pun_htmlspecialchars($text);

and i've just checked - the only modification i have made to parser.php is from elbekko's Easy Custom Smilies..

god, i hope i can get this sorted sad

  • Registered: 2006-09-10
  • Posts: 15

Re: How come people can use HTML on my PunBB??

would it be anything to do with the (albeit minor) alterations i've made to main.tpl?  like, for instance, it may not be strict xhtml anymore, even though the doctype says it is?

i know i'm clutching at straws here, but i just can't think what it might be..

  • Smartys
  • Former PunBB Developer
  • Offline
  • Registered: 2004-04-30
  • Posts: 7,844

Re: How come people can use HTML on my PunBB??

Removing the call to pun_htmlspecialchars is the only thing that would do it, unless you removed the call to parse_message in viewtopic.php

  • Registered: 2006-09-10
  • Posts: 15

Re: How come people can use HTML on my PunBB??

Smartys wrote:

Removing the call to pun_htmlspecialchars is the only thing that would do it, unless you removed the call to parse_message in viewtopic.php

well, as posted above the pun_htmlspecialchars is still there - the code i posted above was a direct cut & paste from my parser.php file..  i've just checked out viewtopic.php and parse_message is only mentioned once:

    // Perform the main parsing of the message (BBCode, smilies, censor words etc)
    $cur_post['message'] = parse_message($cur_post['message'], $cur_post['hide_smilies']);

which looks correct..  but as you can see from the link to my forum in the OP, my users can definitely use HTML at the moment sad

incidentally, it's a very new forum, only populated by my friends at present.. none of them have any degree of technical knowledge, so i'm sure it's not a deliberate "hack" attempt or anything like that by any of them..

any more suggestions?

  • Registered: 2006-09-10
  • Posts: 15

Re: How come people can use HTML on my PunBB??

i assume this pun_htmlspecialchars function is designed to strip html tags out of posts?  i looked it up, in functions.php, just to see if it looked ok..  unfortunately, i don't understand php enough to tell what's going on sad

does this look ok?

//
// Equivalent to htmlspecialchars(), but allows &#[0-9]+ (for unicode)
//
function pun_htmlspecialchars($str)
{
    $str = preg_replace('/&(?!#[0-9]+;)/s', '&', $str);
    $str = str_replace(array('<', '>', '"'), array('<', '>', '"'), $str);

    return $str;
}
  • From: U.S.A.
  • Registered: 2005-08-26
  • Posts: 1,607

Re: How come people can use HTML on my PunBB??

It doesn't actually strip out the tags, it just replaces some characters with entities so that the tags aren't rendered by the browser.

And no, it does not look right, it should look like this:

function pun_htmlspecialchars($str)
{
        $str = preg_replace('/&(?!#[0-9]+;)/s', '&', $str);
        $str = str_replace(array('<', '>', '"'), array('<', '>', '"'), $str);

        return $str;
}

For some reason, you have it changed so that it replaces double quotes and greater / less than signs with exactly the same thing. wink

P.S. If your members complain about not being able to post videos anymore, I have a YouTube video BBCode mod on Punres.

Looking for a certain modification for your forum? Please take a look here before posting.
  • Registered: 2006-09-10
  • Posts: 15

Re: How come people can use HTML on my PunBB??

well, someone just made it to my christmas card list!

thanks a lot pogenwurst - that did the trick!  i knew it didn't look right..  i may not know php, but even i could tell that

$str = str_replace(array('<', '>', '"'), array('<', '>', '"'), $str);

was basically replacing HTML tags with exactly the same things!  i just wasn't sure how to fix it..

weird thing is, i'm sure i didn't change this..  like i say, i don't know php, so i never just go messing around with code for the hell of it..  and none of the mod's i have applied have asked me to edit functions.php..  weird..

anyway - thanks to all concerned big_smile

  • From: U.S.A.
  • Registered: 2005-08-26
  • Posts: 1,607

Re: How come people can use HTML on my PunBB??

No problem.

Did you ever touch the code with MS Frontpage or another WYSIWYG editor of some sort? It might have "helped" you by doing some funky conversions.

Looking for a certain modification for your forum? Please take a look here before posting.
  • Registered: 2006-09-10
  • Posts: 15

Re: How come people can use HTML on my PunBB??

pogenwurst wrote:

No problem.

Did you ever touch the code with MS Frontpage or another WYSIWYG editor of some sort? It might have "helped" you by doing some funky conversions.

nope..  i hate wysiwyg editors; i don't even have any installed on my machine, apart from MS Word, and it isn't associated with anything other than the usual .doc, .rtf, etc..  i use UltraEdit for all my code/raw text editing..

i really can't think how that function would have got like that neutral

  • From: U.S.A.
  • Registered: 2005-08-26
  • Posts: 1,607

Re: How come people can use HTML on my PunBB??

Well, I guess the important thing is that it's not like that anymore. smile

Looking for a certain modification for your forum? Please take a look here before posting.