Why cant you do with VB tags, that needs HTML?Quote:
Originally Posted by matt9669
Printable View
Why cant you do with VB tags, that needs HTML?Quote:
Originally Posted by matt9669
leave it on! i dont know much about html but those people i know who do know about it say its not a big vulnerability.
and yes, if we disabled html code, how will that stop anybody from attacking xs?
there will always be vulnerabilities, there is no easy fix, no simple code, you just have to enable, no button you can push to be just safe and dont have to worry anymore
and is there no middle way to this? do we need html for img tags? is there no way to keep the img tags working but disable html? maybe just some parts of the html code like it was brought up some posts ago?
i think that img tags and links are very important for xs, and disabling both would hurt all of us. why should we go through all this pain? its just some out of dozens of vulnerabilities we get rid of, its not like disabling html code will make xs invulnerable to any attack.
and matt, please calm down, im sure all will end up fine :)
It can more of pain to set up. I mean you can, look at my sig. I just reset it up. I now use a static image for the D2OL sig. And the little smilies are working again as well. So I mean you can, its just, more of a pain to change things. I can live without HTML, it isn't that big of a deal, but I would rather see it stay
jjcom
what about links and pics we post on xs?
can we still post pics in full size with img tags and links to another part of the forum or a shop or a news flash on some site with html turned off?
well said! :up:Quote:
Originally Posted by matt9669
Any update on that matter from the Admins - Kazoo? FUGGER?
Has HTML code been turned OFF permanently? When is the testing over?
yes you can post links and images that appear in the forum (not as links). VB code does that.Quote:
Originally Posted by saaya
Sorry saaya, just consider me a post 9/11 American who doesn't like freedoms being limited in the name of "security" that turning off HTML code won't provide. :sick:
Even if we lose all the links and stuff I'll still stop in, but...I feel limiting the forum is like giving up. As long as the server is safe should be the only real concern. Anyone who seriously wants to do damage wont need or use html. I vote we keep it and not cave into fear. But like I said...either way, I'll still stop to visit now and again.
VB code is rendered by the server. HTML is a standardized language that any browser in any OS can display.Quote:
Originally Posted by 9mmCensor
Remember the emoticons that could display info like your IP address? Theres also iframe, frames, and dynamic image link (d2ol sigs had this) as well as playing with file extensions can can all get past many insecurities within windows itself. The code is not to blame, its windows.Quote:
B) Read my previous posts! I DARE you to find an exploit that works purely with HTML! Why? Because one does not exist, period.
Now, with that said BB/PHP/whatever allow us most if not all the freedoms HTML provides, and quite possibly more (I couldnt tell you exactly since I am not well versed in any of these languages) and I dont believe removing HTML from the picture is going to impact the forums at all.
All it means is instead of putting <*img src=bleah> you put <*img>bleah<*/img> or a derivative thereof.
Frames require a frameset. Unless the HTML code on the forums is in a frameset (and I don't why it would be) . . .
Dynamic image links should be part of our activity in the forums. I don't know of an exploit that uses this particular functionality - if you do, please point it out to me.
Your IP address is public knowledge. HTML is not required to display that.
Playing with file extensions? In HTML? Show me an example!
So whats your point?Quote:
Originally Posted by matt9669
Ok, you can still have all the sig images as long as they don't come from a php script. If they are jpegs are gifs, then they will work fine. The only people who used images from php scripts were the D2OL sigs, people who linked to attachments here at XS, and the people who post that IP/ISP/Browser script. BBcode works just fine.Quote:
Originally Posted by Dissolved
I have yet to see any post that actually needs HTML and can't be done with BBcode, so why keep it enabled? The people who know HTML can figure out BB code easily and the people who don't know HTML or BBcode will just use the buttons (and bbcode) so it isn't a usability thing.
PHP scripts creating images are a risky thing. Just disable HTML code and force people to use static images. Think about it... Kazoo is an admin and she has my D2OL script in her sig. PHPBB disabled this completely because it was a security risk and vbulliten should force their users to do the same.
An idea solution as I said would to block all external images generated by scripts, so people could still make full size attachments. I guess you could still exploit it, but it would be more contained.
Matt, can you show some of your posts that actually need html where it couldn't be done with bbcode? While I seem to agree with you on American politics, the analogy just doesn't work here IMO. There are more exploits than just leaving HTML on that deal with php script images and other things...or am I missing something completely?
You wanted to know what the difference was ;)
VBcode is limited by what the server will render and how it renders it. HTML is not.
What a cumcatcher. Don't people have anything better to do than this crap?
Can't we get a script made that will scan for scripts when people hit the submit button. This is a newbie thing that was done, i'm sure people around here know way more than this guy copy/pasting some html code....
It's not a script, it's just an HTML tag - we could simply not allow use of the tag.
Iheard if you press ctrl, alt, and delete at the same time (twice) :stick: you can fix this problem!!!
This is where iframe comes in.Quote:
Frames require a frameset. Unless the HTML code on the forums is in a frameset (and I don't why it would be) . . .
<iframe src="www.wcroller.com/los/whatever.txt"></iframe>
Hope that works and doesnt cause anything bad to happen... *f5..*
EDIT
Ok, didnt cause anything bad and shows correctly (ie: nothing ;) ).
I see what you mean PS2 and I have a better understanding of the situation now that I've talked to some of the mods.Quote:
Originally Posted by PS2pcGAMER
I do think we need to look at the HTML code that is allowed by vBulletin, I was under the impression that it was HTML 4.0 and nothing more. I don't think the simple trick boshi used should shut down HTML on the forums, and I think we should be able to trust people to use PHP-generated images as they do have inherent usefulness.
What you are referring to are browser exploits that work off of externally referenced code. HTML by itself in the forums constitutes no threat, and even allowing external code constitutes no threat to the actual forums - but there are problems that could arise from other portions of code that are not strictly HTML . . .
PS2, you seem to be the most knowledgeable person I've talked to on this subject. Could you PM me specific examples of these exploits? To my knowledge none of us have seen these used on the forums . . .
the point of it all is, yeah in the future we can use the VB code and all that, but what about the past? Images, etc will be messed up. Like I said earlier its just more stuff that needs to be done, that doesn't need to be.
I could just not know how to do this right, but....when you attach an image, what if you want it on your post?
jjcom
I agree with jj, and I also think find creative ways to target these specific and few problems - we've banned the user that was crashing IE, until I see something more dangerous being used (like I said, it would require the use of external code, it's not the HTML on the forums that causes issues) I don't think the need to bluntly turn off all HTML code is present.
yeah, in my Video Card guide, my images are no longer there. Altho, this is confusing me since the images in my sig still show....:confused:
jjcom
images in your sig are using [*img][*/img], the ones in the guide were probably [*img src="xxx"]
?
I'm new here, but hey, why would you customize your site for a person's security, when really, it is up to the user to ensure that their systems in not vulnerable? A webpage crashes your pc, and deletes your HDD? If you fell victim to something like that, I say you deserved it.
Changing your site becasue of one teenager is not kosher by any means..giving in to the attackers just simply gives them the power that they are trying so hard to obtain.
I'm not your average pc user, but i have not had a virus in over 2 years. Not even blaster affected me. Why? Because I made sure my $3500 computer was as secure as a $350,000 computer...and so should everyone else. I cannot see anyone being able to pull off an fdisk from a webpage, without clicking one something first, and everything else should be taken care by the pc user, not a BBS.