Hi,

In signatures you guys really need to turn off the ability for people to do <script> </script>. On our board, someone put a nasty VBscript virus in in their sig and potentially infected a few hundred users.

This is imperative. Please fix this as soon as possible so we can reactivate HTML in signatures.

thanks

html code in signatures is all or nothing. you cannot disallow certain tags. it is always recommended that html code be turned off on your forums.

As Jake said, it is highly recommended that you turn off HTML not only in signatures but in posts as well. As there are good uses for <script> tags when HTML is turned on, this was done by design rather than by error, and I don't believe we have any plans to change it at the current time.

Originally posted by sparkart
Hi,

In signatures you guys really need to turn off the ability for people to do <script> </script>. On our board, someone put a nasty VBscript virus in in their sig and potentially infected a few hundred users.

This is imperative. Please fix this as soon as possible so we can reactivate HTML in signatures.

thanks

Hey, you're from linkinpark.com aren't you?? I love that site. I visit it every day.

why do you have it, if you dont recommend using it? See, kids on our board love to use signatures to express their individuality and what not.

We have over 40,000 members on our board, and HTML based sigs with pictures and all that is part of the deal.

If there is a way to disallow certain tags, it would be very helpful for our needs. How can we do it?

thanks

My users love signatures, too. But, they use vB code to get the effects I want them to be able to have. You don't need HTML. You can do it with vB and control what tags are allowed.

Originally posted by sparkart
why do you have it, if you dont recommend using it?
HTML could be useful in a private forum in which there is a small and accountable member base, a company Intranet for instance. Therefore it does have a useful purpose under certain conditions.

However allowing HTML in a public forum is just asking for trouble. :eek:

See, kids on our board love to use signatures to express their individuality and what not.

We have over 40,000 members on our board, and HTML based sigs with pictures and all that is part of the deal.
40,000 members, many of which are 'kids'! Why would you want to trust so many strangers with the ability to write HTML on your site?

If there is a way to disallow certain tags, it would be very helpful for our needs. How can we do it?
You would need to get someone to hack this in. However you would have to make sure that you have disallowed all potentially harmful HTML code. That's no small task.

k thanks.

will have to teach them how to do img stuff using VB.

LinkinPark.com is for a band. Giving kids the ability to do all sorts of stuff in their sigs is part of what makes our board one of the best ones online (in their opinion). Very few band sites can boast 40k members!

Originally posted by sparkart
k thanks.

will have to teach them how to do img stuff using VB.

LinkinPark.com is for a band. Giving kids the ability to do all sorts of stuff in their sigs is part of what makes our board one of the best ones online (in their opinion). Very few band sites can boast 40k members! I checked out your site. Very nice. It's mostly just using [ instead of <. If you add any custom codes just use the same words as the HTML and you're set. BTW, this is a great thread for getting custom vB codes:

http://www.vbulletin.com/forum/showthread.php?s=&threadid=24595

try allowing HTML but adding certain tags to the 'banned' words list...

Or if you enjoy custom hacks, write a small hack (like I did) which allows all HTML other than a couple tags that we found are badthings (<script, <body, <embed, etc.).

strip_tags() is your friend ;)
http://www.php.net/manual/en/function.strip-tags.php

Just so I know my site is secure, I turned off HTML in the signatures, calendar, and all forums. Is there anywhere else I have to disable them? Is there a master switch somewhere that I am missing? sorry, just want to make sure we are secure.

Talon.

It wouldn't be too hard to add a feature that would strip all potentially disruptive tags, would it? I know the list of bad tags is long, but I believe you could add something like
$posttext= strip_tags($posttext, '<a><b><i><u><br><hr><img><center>');
or something like it. Call it "SafeHTML" and make it an option in the Admin CP.

if i were you, just make custom bb codes with popular commands...

Originally posted by FWC

http://www.vbulletin.com/forum/showthread.php?s=&threadid=24595


Talon


EDIT- Answered my own really dumb question. Nevermind.

Talon

I think it would be great if you (jelsoft) added a SafeHTML option like the above mentioned to vbulletin.

I always try to allow HTML on my message boards (be it vb, ezboard or otherwise) mainly because i prefer it to message boards' own version of HTML (Vb Code, EZcodes etc).

The problem is "safe" html is not necessarily safe. Sure we could add an option that disables, e.g., all <script> tags. That would only stop possible malicious use of scripting. You still leave the ability to use table tags which could seriously screw up a layout, among other things.

Unless you implicitly trust your users and have no reason to believe that any new registrants would be untrustworthy, HTML should be out of the question.

Saying which HTML tags are allowed is essentially somewhat pointless. You can already set custom bbcode tags and therefore you couild just use bbcode for your few 'safe' tags. There's no need for HTML in most cases, particularly if you only want to allow a small subset of the available tags.

You could even add <b>, <i>, etc as replacement variables to simulate allowed HTML (though I haven't tested this so it may not work). It depends in which order things are processed in the showthread page.