Chat
Discord
(10-17-2015, 11:01 PM)MangaD Wrote: It might be possible to just disable the iframe and script tags. :)MyBB already tries to disable script tags, but I know bamboori got through it once, with some broken code. But that is not enough as there are more ways to execute scripts like with a on*="my code here" attribute so MyBB also has to detect all of that, which it does (unless it is also broken), but even that will not be enough since HTML is an evolving standard, so what if a new tag/attribute gets added that MyBB has no knowledge of? It is really stupid that there is not a safe tag like:
|
HTML-Code:
<safe>
<script>alert('This will not appear');</script>
<iframe src="Icannotaffectanythingintheouterframe.html"></iframe>
<div style="position: fixed; left:0px; top:0px; right:0px; bottom:0px;">The position styles will be ignored.</div>
</safe> |
With this tag all the author of the website needs to worry about is that there are no closing safe tags, and that the users browser supports the safe tag, which if it does not the website should probably just display a message that the user should "UPDATE THEIR FRIGGIN' BROWSER!" instead of the safe tag and its content.
You could also possibly have ways of white-list things in safe tags, so for example you could white-list local script tags that are only able to work with things inside the safe tag.
(10-17-2015, 11:01 PM)MangaD Wrote: Please don't disable html. My sig would be less cute. :(Your signature consists of an image and a flash object that plays a sound. If flash is secure enough (which would have to be researched) a flash bbcode could be added, else a sound bbcode could be added. Either or I do not think the security of the forum should be compromised because anyone wants a cute signature.
The only way to actually allow HTML in signatures is to disable everything except for specifically white-listed tags and attributes which is significantly more work than adding bbcodes for tags that are deemed safe.
Alternatively allow trusted members to use HTML in their signatures and stuff, which is also a lot of work, and introduces the problem that you do not know in whom you can trust. When can you trust someone? Can you trust me? The only one that who knows you can trust me is me.
tl;dr: Full or close to full HTML in signatures is and will always be unsafe. Kill it, add bbcodes as necessary.
Age ratings for movies and games (and similar) have never been a good idea.
One can learn a lot from reinventing wheels.
An unsound argument is not the same as an invalid one.
volatile in C++ does not mean thread-safe.
Do not make APIs unnecessarily asynchronous.
Make C++ operator > again
Trump is an idiot.
One can learn a lot from reinventing wheels.
An unsound argument is not the same as an invalid one.
volatile in C++ does not mean thread-safe.
Do not make APIs unnecessarily asynchronous.
Make C++ operator > again
Trump is an idiot.