This isn't a "How do I", but it wouldn't post in tips and hints. (if a mod would like to move it over to hints and tips that would be great!)

To enable html without being scared of somebody "hacking" your forum, simple put these in the censor field in the admin control panel. This way if somebody tries to use these, it will replace them with **** and in return wont work.

*crosses fingers that code tags show the code*



<iframe </iframe <link </link <basefont </basefont <base </base <td </td <tr </tr <th </th <tfoot </tfoot <tbody </tbody <thead </thead <table </table <body </body <meta </meta <div </div <style </style <script </script <html </html <plaintext </plaintext <xmp </xmp <object <noframes <noembed <noscript <nojava onload onMouseover

or simply use strip_tags() and make use of the second parameter, which is allowable tags ;)
(of course, you'll have to remove onClick, onMouseOver etc, which will work fine with the replacement variables)

okidoki

Can you explain more please

Do you mean that I need to but "strip_tags()"
only in the censor words instead of buting all the line above!!

Thanks

Can someone kindly explain what does "okidoki" mean and how to apply his method.

enabling HTML is a real concern for me


Thanks

Enabling HTML will always present a certain security risk to your forum.

Originally posted by freddie
Enabling HTML will always present a certain security risk to your forum.

Give and take buddy, give and take. Allowing images is a certain security risk. :D

There are some html tags used for more bad than good. I can think of the mouse over, and the in window codes to be some of more abused codes. yeah, gay porno links. :mad:

Originally posted by Gutspiller
Allowing images is a certain security risk. :DHow is allowing images a 'security risk'? :confused: It may open the door to abuse (links to porno shots) but I fail to see what the security risk is.

Security risk as in something a lot worst than porno links.

Originally posted by FireFly
Security risk as in something a lot worst than porno links.

I take it nobody has every posted a picture of a guy pulling his cheeks apart showing you the inside of his ass.

I pray you never have to see what I have seen stupid people do to my board. :(

Originally posted by Gutspiller


I take it nobody has every posted a picture of a guy pulling his cheeks apart showing you the inside of his ass.

I pray you never have to see what I have seen stupid people do to my board. :(

I have never met anyone who hasn't been introduced to this now infamous picture~;)

Originally posted by Remi
Can someone kindly explain what does "okidoki" mean and how to apply his method.

enabling HTML is a real concern for me


Thanks

I would like to know this as well.

Basically what okidoki is talking about is the php feature of the strip_tags() function. It would have to be a code hack, but would work fine. You can find more information on strip_tags() at http://www.php.net/manual/en/function.strip-tags.php

Originally posted by Gutspiller
This isn't a "How do I", but it wouldn't post in tips and hints. (if a mod would like to move it over to hints and tips that would be great!)

To enable html without being scared of somebody "hacking" your forum, simple put these in the censor field in the admin control panel. This way if somebody tries to use these, it will replace them with **** and in return wont work.

*crosses fingers that code tags show the code*



<iframe </iframe <link </link <basefont </basefont <base </base <td </td <tr </tr <th </th <tfoot </tfoot <tbody </tbody <thead </thead <table </table <body </body <meta </meta <div </div <style </style <script </script <html </html <plaintext </plaintext <xmp </xmp <object <noframes <noembed <noscript <nojava onload onMouseover



If what I was told about vb 2.2.4 was correct, I believe there is a very easy way to use these tags in another form... Basically anyone can still use any html they want even if you filter that :) :) Sorry!

Alright but is there any need for HTML? Is there anything useful it can do that vB code can not?

I used to hate forums using special code---never could figure it out---but the current vB with code buttons and "help" eliminate all the fuss, even for a no-nuttin like me...

Sure, I would enable HTML if it can be done with zero security risk. But if any risk at all, why bother?

Originally posted by Christophe_O
Alright but is there any need for HTML? Is there anything useful it can do that vB code can not?

I used to hate forums using special code---never could figure it out---but the current vB with code buttons and "help" eliminate all the fuss, even for a no-nuttin like me...

Sure, I would enable HTML if it can be done with zero security risk. But if any risk at all, why bother?

Yes, of course there are tons of things that HTML can do that vB code cannot (although you can still add these HTML codes to use as vB ones).

Personally, I like HTML-enabled forums, because I am used to typing HTML code instead of vB code, as I always hand-code my websites etc.

The con con bug works pretty well with images enabled as well. At least it crashes older systems, I'm not sure about XP yet. I haven't gotten the time to attempt to crash myself yet.

Originally posted by Blak n Wite


Yes, of course there are tons of things that HTML can do that vB code cannot...

So what exactly is the "risk" of using HTML, even with active characters blocked? Can someone please state a "worst case scenario"... ?

:confused: :confused: :confused:

Originally posted by Christophe_O


So what exactly is the "risk" of using HTML, even with active characters blocked? Can someone please state a "worst case scenario"... ?

:confused: :confused: :confused:

Someone could use tags that they don't close, and affect part of the thread.

I.E. Use the <marquee> tag, and make the bottom of the post scroll.

I can't quite picture any true worst-case scenarios ATM, though.

Originally posted by Blak n Wite
Someone could use tags that they don't close, and affect part of the thread. I.E. Use the <marquee> tag, and make the bottom of the post scroll.

Well---how about if everyone who has an HTML crime---or who even thinks of a possible crime (like "marquee" tags)---make a point to come here and report it? Then over time we can increase the "block" list to prevent all possible HTML crimes.....

Originally posted by Christophe_O


Well---how about if everyone who has an HTML crime---or who even thinks of a possible crime (like "marquee" tags)---make a point to come here and report it? Then over time we can increase the "block" list to prevent all possible HTML crimes.....

That *might* be a good idea, BUT then there wouldn't really be any reason to enable HTML in the first place! :rolleyes: The main reason people enable HTML would probably be because they want to allow their users to post using some fancy HTML tags, etc.

Like text glow, shadow, invert, scroll, etc etc.

I had HTML on my boards, until someone decided to use the META refresh tag and direct my front page CSM to to some porn site.

I was not happy.

Originally posted by Gutspiller
I take it nobody has every posted a picture of a guy pulling his cheeks apart showing you the inside of his ass.

I pray you never have to see what I have seen stupid people do to my board. :(

Rotfl !!

omg I have got to register at your board

*can't stop laughing *

Well, since nobody else mentioned this before, I will:

I'm pretty sure the censor thingie mentioned in the first post is correct, but isn't there supposed to be a maximum of 250 characters for the "Words to censor" field?
That makes the possiblities using censoring rather limited, and part of the code posted in the first post here, won't be censored because of that limit.

Originally posted by freddie
Enabling HTML will always present a certain security risk to your forum.

Even if you have it enabled in a private/invisible forum?

Originally posted by Visionray
Even if you have it enabled in a private/invisible forum?

Rephrased: anywhere that a user can type HTML and have it displayed on your forums, whether it be signatures, private messages, or any threads--public or private--they then have the ability to steal your username and password.

Originally posted by filburt1
Rephrased: anywhere that a user can type HTML and have it displayed on your forums, whether it be signatures, private messages, or any threads--public or private--they then have the ability to steal your username and password. May I ask, how is that possible? I don't need all the details, just an outline of how a member would be able to do this, to prevent it and such.

Originally posted by Christophe_O
So what exactly is the "risk" of using HTML, even with active characters blocked? Can someone please state a "worst case scenario"... ? :confused: Originally posted by filburt1
...anywhere that a user can type HTML and have it displayed on your forums, whether it be signatures, private messages, or any threads--public or private--they then have the ability to steal your username and password. Originally posted by Marshalus
I had HTML on my boards, until someone decided to use the META refresh tag and direct my front page CSM to to some porn site. I was not happy. Now there are worst case scenarios. I am scared, I am scared... :eek:

By the way, I havent been here awhile--and now I find ridiculous "horizontal scrolling" in my "post reply" page. Is this a default of this Beta 3.0---or is some joker using HTML....

Originally posted by Christophe_O
Now that is a worst case scenario. I am scared, I am scared...:eek:

By the way, I havent been here awhile--and now I find ridiculous "horizontal scrolling" in my "post reply" page. Is this a default of this Beta 3.0---or is some joker using HTML.... It's because the first post of this thread is too long, so you have to scroll horizontally to view the entire post.

Speaking of security risks in HTML tags, can I avoid them when only I put these words in censorship and enable HTML at the same time?:
<script </script onload onMouseover onClick onMouseout



Also, Isn't this behavior a bug in the browser so it can be patched to prevent causing the problem?

Any reply??

Any reply??
Bottom line:

If you allow html on your forum you are ganna:


Spend alot of time tracking down 'bad' html tags and blocking them
Have you cookies stolen because you forgot to block a certain tag
You members are ganna do something, like mess up your postbit layout or re-direct the site to anthor one, the list gose on


At the end of the day there is no reason to allow html on forums IMO, if you need a certain tag for your board it only takes a few minutes to make a new vBcode. vBcode is there to allow you to control what kind of codes can be posted on your boards, with html it is the reverse, you have to keep up with it everyday.

How is allowing images a 'security risk'? :confused: It may open the door to abuse (links to porno shots) but I fail to see what the security risk is.
http://www.danasoft.com/vipersig.jpg

Only way to make this not a security risk would be to save the image in the DB...

http://www.danasoft.com/vipersig.jpg

Only way to make this not a security risk would be to save the image in the DB...Thats hardly a security risk. It only spews out information your browser is willing to give out to any one. That image cant steal cookie info or any other important information. I guess the only risk would be that a competitor could get stats on what type of people visit your site by posting on your forum and monitoring the stats on the sig.

Bottom line:

If you allow html on your forum you are ganna:


Spend alot of time tracking down 'bad' html tags and blocking them
Have you cookies stolen because you forgot to block a certain tag
You members are ganna do something, like mess up your postbit layout or re-direct the site to anthor one, the list gose on


At the end of the day there is no reason to allow html on forums IMO, if you need a certain tag for your board it only takes a few minutes to make a new vBcode. vBcode is there to allow you to control what kind of codes can be posted on your boards, with html it is the reverse, you have to keep up with it everyday.
I'm using Magic ToolsBox hack which uses -by its turn- some javascript codes.
When I disabled HTML, all javascript was written and not parsed.

How is allowing images a 'security risk'? :confused: It may open the door to abuse (links to porno shots) but I fail to see what the security risk is.
Because people sometimes use PHP inside of the [img] tags..

Will that even work though?

how do i remove " allow html" for all forums? I want to make sure html is not allowed in all froums, but don't want to go through each forum manually..


thanks
dave

You'd need to write a good script which would decode the options column in forum table, then change the HTML part from 1 to 0.

It'd be easier to go thru each forum in my opinion; unless you have, say, 50 forums? Then ask for some help to write this script probably.

Will that even work though?
Yep.

Thats hardly a security risk. It only spews out information your browser is willing to give out to any one. That image cant steal cookie info or any other important information. I guess the only risk would be that a competitor could get stats on what type of people visit your site by posting on your forum and monitoring the stats on the sig.
People could record data on people visiting your site, I consider that a risk.

Erm, the option to block dynamic url's in the img tag has been avaiable scence version 2, sounds like some of you need to turn it on ;)

I would suggest to add "javascript:alert(document.cookie)" also!!

Just login at your forum and then copy and paste this in the same browser. get scared!!!