[Dean C]

I'll move this over to modifications hints and tips - I think we need a rename of that forum

[Natch]

Handy Hints 4 Board Admins?

[deathemperor]

good hints
HTML is magic.

[Gutspiller]

Or you can just censor certain html tags and be a little safer:

Block Disabled:      (Update License Status)
Suspended or Unlicensed Members Cannot View Code.

:ermm:

[Zachery]

Originally Posted by Gutspiller

Or you can just censor certain html tags and be a little safer:

Block Disabled:      (Update License Status)
Suspended or Unlicensed Members Cannot View Code.

:ermm:

Censor is really easy to get around

[FrozenCreations]

i have an even better reason /;

do not alow <img /> tags!!

<HTML>
<BODY>
<IMG SRC="./bsod.gif" width="9999999"height="9999999" />
</BODY>
</HTML>

INSTANT DOOM!! muahahahahahaha

(it chrashes the page

[AN-net]

Originally Posted by Gutspiller

Or you can just censor certain html tags and be a little safer:

Block Disabled:      (Update License Status)
Suspended or Unlicensed Members Cannot View Code.

:ermm:

there are still so many more possibilities to use vicious javascript and code

[FrozenCreations]

and theres always my instant doom img tag

the downside is, you gota upload your own pic /;

[Tradjick]

And when enabling HTML only for Admins, would that be safe, beside the risk that someone gets Admin access?

[EliasAlucard]

Do they have to register an account and write something in the HTML-enabled section in order to exploit security vulnerabilities, or is it enough to just enable HTML in the first place in order to open up the forum for vulnerabilities?

[Digital Jedi]

Originally Posted by EliasAlucard

Do they have to register an account and write something in the HTML-enabled section in order to exploit security vulnerabilities, or is it enough to just enable HTML in the first place in order to open up the forum for vulnerabilities?

The risk is someone using the HTML on your forum. So whatever usergroup has the ability, is where the risk lies.

[EliasAlucard]

Originally Posted by Digital Jedi

The risk is someone using the HTML on your forum. So whatever usergroup has the ability, is where the risk lies.

Do they have to post with special HTML tags or is it enough that someone posts something like <sup> in order to enable HTML to become a vulnerability risk?

[Digital Jedi]

Originally Posted by EliasAlucard

Do they have to post with special HTML tags or is it enough that someone posts something like <sup> in order to enable HTML to become a vulnerability risk?

The danger doesn't come from the HTML just existing in a post. The danger comes from the person posting using raw HTML code.

Whatever HTML code he puts in a post, becomes that on the forum. If he posts the code that makes a table, it becomes a table in his post. If he posts the raw HTML code for embedding a YouTube video, it becomes an embedded YouTube video in his posts.

So the danger comes from the person, and what he's choosing to post. If he wants to post malicious code, he has fee access to do so. That's why BBCode is more secure. BBCode only turns into the HTML you decided it will turn into.

NOTE: Don't confuse this with the [HTML][/HTML] BBCode tags. This has nothing to do with what they're talking about above. This just displays code in such a way that it stays formatted. No matter what anyone puts here, it will just display text with the spacing preserved and color coding added.

Block Disabled:      (Update License Status)
Suspended or Unlicensed Members Cannot View Code.

[final kaoss]

Wow a 9 year old thread revived?