Login

Gespenst · (This post was last modified: 10-17-2015, 06:21 PM by Gespenst.)

Now how it looks when I click on change signature

[Image: VAwCaDJ.png]

I can't edit it. Please help me :'(

It's from adult cat finder.

I hope that I did not effed the whole forum...

I FIXED THE PROBLEM WITH ADD BLOCK. or didn't. THAT WAS TOTALY NOT ME WHO FIXED IT.
TY if you tried to help me.

Silverthorn · 10-17-2015, 06:19 PM

(10-17-2015, 06:14 PM)Sänger Wrote: I hope that I did not effed the whole forum...

You did. See, this is why I'm not particularly fond of people using iframes in their signatures. I had to remove your sig manually because it broke the entirety of the forum.

A-Man · 10-17-2015, 07:50 PM

So will HTML be disabled altogether? (I really thought it was, until now)

Som1Lse · (This post was last modified: 10-17-2015, 09:27 PM by Som1Lse.)

In all honesty HTML probably should be disabled altogether in signatures and anywhere else for that matter. If people want tables and fancy stuff then there should simply be bbcodes for them.
If an iframe can mess up the forum layout then I do not want to see a cross site scripting attack.

Gespenst · 10-17-2015, 09:30 PM

So, thanks to me, people starting to invent something new or go with alternatives, right? Also avoiding "cross site scripting attack."

MangaD · 10-17-2015, 11:01 PM

(10-17-2015, 09:23 PM)Someone else Wrote: In all honesty HTML probably should be disabled altogether in signatures and anywhere else for that matter. If people want tables and fancy stuff then there should simply be bbcodes for them.
If an iframe can mess up the forum layout then I do not want to see a cross site scripting attack.

Please don't disable html. My sig would be less cute.

It might be possible to just disable the iframe and script tags.

Som1Lse · (This post was last modified: 10-18-2015, 04:13 PM by Som1Lse.)

(10-17-2015, 11:01 PM)MangaD Wrote: It might be possible to just disable the iframe and script tags. :)

MyBB already tries to disable script tags, but I know bamboori got through it once, with some broken code. But that is not enough as there are more ways to execute scripts like with a on*="my code here" attribute so MyBB also has to detect all of that, which it does (unless it is also broken), but even that will not be enough since HTML is an evolving standard, so what if a new tag/attribute gets added that MyBB has no knowledge of? It is really stupid that there is not a safe tag like:

HTML-Code:

<safe>
    <script>alert('This will not appear');</script>
    <iframe src="Icannotaffectanythingintheouterframe.html"></iframe>
    <div style="position: fixed; left:0px; top:0px; right:0px; bottom:0px;">The position styles will be ignored.</div>
</safe>

With this tag all the author of the website needs to worry about is that there are no closing safe tags, and that the users browser supports the safe tag, which if it does not the website should probably just display a message that the user should "UPDATE THEIR FRIGGIN' BROWSER!" instead of the safe tag and its content.
You could also possibly have ways of white-list things in safe tags, so for example you could white-list local script tags that are only able to work with things inside the safe tag.

(10-17-2015, 11:01 PM)MangaD Wrote: Please don't disable html. My sig would be less cute. :(

Your signature consists of an image and a flash object that plays a sound. If flash is secure enough (which would have to be researched) a flash bbcode could be added, else a sound bbcode could be added. Either or I do not think the security of the forum should be compromised because anyone wants a cute signature.

The only way to actually allow HTML in signatures is to disable everything except for specifically white-listed tags and attributes which is significantly more work than adding bbcodes for tags that are deemed safe.

Alternatively allow trusted members to use HTML in their signatures and stuff, which is also a lot of work, and introduces the problem that you do not know in whom you can trust. When can you trust someone? Can you trust me? The only one that who knows you can trust me is me.

tl;dr: Full or close to full HTML in signatures is and will always be unsafe. Kill it, add bbcodes as necessary.

A-Man · (This post was last modified: 10-18-2015, 08:54 AM by A-Man.)

(10-18-2015, 08:01 AM)Someone else Wrote: Alternatively allow trusted members to use HTML in their signatures and stuff, which is also a lot of work, and introduces the problem that you do not know in whom you can trust. When can trust someone? Can you trust me? The only one that who knows you can trust me is me.

Eh, whether someone is "trustworthy" or not should not grant them special functional features in a forum.

Quote:tl;dr: Full or close to full HTML in signatures is and will always be unsafe. Kill it, add bbcodes as necessary.

Totally agree. One time I needed to use HTML was to add a table to my thread, and it wasn't available for security reasons. If that was the case with threads in which HTML could actually be useful, then it should be applied to its inferior in usefulness, signatures.

Silverthorn · 10-18-2015, 10:08 AM

tl;dr at the bottom of the post

See, the thing is that the filtering of malicious javascripts works quite well if the person writing them knows what they're doing. It gets difficult when they don't and try to add broken code to the site. Broken code breaks the parser which breaks the forums, roughly speaking.

(10-17-2015, 09:23 PM)Someone else Wrote: In all honesty HTML probably should be disabled altogether in signatures and anywhere else for that matter. If people want tables and fancy stuff then there should simply be bbcodes for them.
If an iframe can mess up the forum layout then I do not want to see a cross site scripting attack.

Thinking similar. Yes, html lets us have pretty signatures but it should be security over design. Considering the things that are possible with the current setup, it seems about time to limit that. In fact, from all online platforms I am registered at, LFE seems to have one of the most loose policies in that regard. Others go down to the other extreme where they just allow unformatted text.

Currently, I am evaluating in which way html is beneficial to the entirety of LFE. So far, the only reason I have seen would be for conveniently placing elements in the contests: 1 2 3, to give a few examples. Doing a very simple BBCode-table would probably be not too much effort; dealing with iframes is ugly on a whole new level. I actually don't have an alternative solution for latter apart from simply linking to the respective page.

(10-18-2015, 08:01 AM)Someone else Wrote:
(10-17-2015, 11:01 PM)MangaD Wrote: Please don't disable html. My sig would be less cute.
Your signature consists of an image and a flash object that plays a sound. If flash is secure enough (which would have to be researched) a flash bbcode could be added, else a sound bbcode could be added. Either or I do not think the security of the forum should be compromised because anyone wants a cute signature.

This. Personally, I think that flash has too many security holes to be feasible at all (sorry, @MangaD, your player is just a gray box for me because I disabled flash altogether

). As far as I know, flash runs in its own container so that it cannot actually break forum in its entirety; however, it can negatively affect individual users: from minor inconveniences such as an auto-playing sound all the way to full-fledged rageworthy things like browser-freezes/-crashes or any kind of exploit that the latest version of flash most certainly contains again.

...which kind of reinforces my opinion to disable html altogether.

(10-18-2015, 08:49 AM)Doctor A Wrote:
(10-18-2015, 08:01 AM)Someone else Wrote: Alternatively allow trusted members to use HTML in their signatures and stuff, which is also a lot of work, and introduces the problem that you do not know in whom you can trust. When can trust someone? Can you trust me? The only one that who knows you can trust me is me.
Eh, whether someone is "trustworthy" or not should not grant them special functional features in a forum.

Well, this is how the whole moderating-system works

Also, I am admin because MH trusted me that I wouldn't break things (hmmm). In this way, there exists such a thing as privs for trust. In this matter, though, we will have to make an exception and really refrain from having a two-class society.

tl;dr: tempted to disable html altogether. Possibly adding table-bbcode. I'd probably retain the ability to add html-thingummies for admins because I'm selfish just like that for somewhat official and/or important announcements and for demonstrating purposes. After all, admins should know what code breaks the forums and what doesn't. Be assured, though, I am not going to paste html everywhere I go, if that is alright with you guys.

A-Man · 10-18-2015, 10:24 AM

(10-18-2015, 10:08 AM)Blue Phoenix Wrote: Well, this is how the whole moderating-system works
Also, I am admin because MH trusted me that I wouldn't break things (hmmm). In this way, there exists such a thing as privs for trust. In this matter, though, we will have to make an exception and really refrain from having a two-class society.

Of course, but these privileges comes with other privileges which are necessary to do moderation. I don't see mods going around editing people's posts, without using that special box at least, in reply to them just because they can.

A "two-class society" better expresses what I wanted to say, thank you very much.

Login
Username:
Password:	Lost Password?
	Remember me