We seem to have a minor glitch on our forum. When ever one of us tries to do an announcement from the Admin Control Panel, it will not allow us to disable HTML, or set VB Code. We check HTML to NO, and then VB to yes, and save the announcment, and when we do, if you click on "edit" again, it show that HTML is turned on, and VB is turned off. No matter how many times we do it, it will not disable HTML.

Any ideas??

What version are you running? Do you have any hacks installed?

Currently we are running 2.2.5, and yes, we have hacks installed. I will try and remember them all here, but if not, I will have to wait till I get home from work as I have the list there.

Welcome Panel Hack
Moderator Drop Down Hack
Last Thread Title on Forums Index Hack
Signature Editor Hack
Who's online Colored Username Hack


That is all I can think of off the top of my head, but I am pretty sure that is it.

Talon

I just tested this with my unhacked 2.2.5 forum and got the same results. Although it should be no problem to recheck the settings, I still think this qualifies as a bug. Moving to the Bugs forum.

ok, thanks alot. I am more concerned about the HTML security problems, as we have just turned off all of the HTML on the forums, and I don't want this to be another thing to worry about.

Talon

Actually, it's not a bug, just the not-so intuitive way announcements work.

Those settings are not saved. They work on a pre-process basis. Depending how the options are set, the announcement text gets sent through bbcodeparse() with HTML, smilies, etc enabled/disabled. It returns straight HTML which is then saved and displayed.

Make an announcement with a smilie and a BB Code then go back to edit it and you'll see what I mean.

I'd have to confirm the code, but I believe this has already been changed for vB 3.

Also there is no security issue with you using HTML on the forums. Why did you think there was?

Well, I have been told several times by many, including Staff here that HTML should be turned off, and that it can be used to hack into a forum. after reading several posts, comments, etc on this, and realizing that it had been done to me in the past, I turned it off. One of the threads that it was mentioned in is here (http://www.vbulletin.com/forum/showthread.php?threadid=29187&%20highlight=hack+and+into+and+private+and+forum+a nd+<br%20/>html) and jakeman highly recommends that html be turned off on forums unless you absolutely trust your members, which unfortunately, not all of mine can be.

Now, after reading this thread, I need to know if there is a way to correct this. I have tried to just use VB codes, and it does not work. I have setup an Announcment with HTML turned OFF, and VB turned on, only to go read that announcment and have it showing the VB tags because it is not turned on, yet HTML is. It was not edited at all, it was started that way. So, I either have a bug of my own, or it is a bug in VB itself.

talon

Example:

just made an announcment through the admin panel, using vb code, with HTML turned off, VB Code and IMG turned on. used


{url="http://www.vbulletin.com/forum/showthread.php?s=&threadid=46547"}Test Hyperlink{/url} in the announcement, (obviously I used [ instead of { )and hit save, then went to read it on the forums, and it looked fine. Went back to the CP and looked at it, and sure enough, it changed the VB code to HTML, and the settings were HTML ON, and everything else OFF. Very strange.

Talon

Originally posted by Talon3DHQ
Well, I have been told several times by many, including Staff here that HTML should be turned off, and that it can be used to hack into a forum. Those comments were in reference to users posting messages in the forums. They never really applied to Announcements which can only be posted by Admins and Mods. These are supposed to be people you trust.

Originally posted by smachol
Those comments were in reference to users posting messages in the forums. They never really applied to Announcements which can only be posted by Admins and Mods. These are supposed to be people you trust.
Well, that is what I was trying to find out as well. Can using HTML in announcements leave the forums vulnerable to those problems as well? From what I read, if HTML is allowed anywhere on the forums, then it can be a security problem. If the Jelsoft team, or the moderators here say that there is no problem using HTML in the announcments and it is not a security risk, then I will use it, but I still think this bug, problem should be fixed, or this thread moved into the "problems" forum, so I can get the help I need to correct it. Not knocking anyone here at all, I am just not as savy as you all with the software yet, and want to make sure my forums are safe, as you would.

Talon

And yes, I do trust my mods/admins.

You can use HTML in Announcements as long as you trust the people capable of posting announcements. However in all honesty I don't know whhy you would need HTML in an announcement. But this decision is yours to make.

As for the problem of reverting to HTML on and vB Code off, this only happens when you go to edit the announcement. The fix is to reset these options and edit your announcement.

no, see, it doesn't only happen when you go to edit an announcment. As I stated above. If make an announcement using VB CODE and with HTML turned OFF, as soon as I hit save, it changes it comepletely to HTML ON, converts the VB CODE to HTML, and turns VB CODE OFF.

I do trust the people using the Admin Control panel, so I will not worry too much about it, I just wanted to make sure that just HAVING html used wouldn't give a malicious person a way "in" if you know what I mean.

Talon

Ok, I may see what you are talking about now..I did one with JUST smilies, and even though it did the same thing, it still showed the smilies. It was just wierd before because when I tried to use the [url] tags in a new announcment, it showed the tags, and didn't do parse the link. Oh well. Sorry for taking up your time everyone, I just didn't understand what it was doing I suppose.


Talon

The place that everyone has told you to turn HTML off is in posts.

Think about it - if you couldn't use HTML at all, how would you be able to have templates? :)

Announcements have a number of quirks with them, refer to the following:

http://vbulletin.com/forum/showthread.php?threadid=20520#post137578

yeah, I finally understood that part...but I couldn't figure out why it was showing the HTML and not the VB code....

Hence the reason it's been reworked for 3.0. :)