[shimei]

Hello,

I was wondering whether others were experiencing the same issues as I am. I keep notes by tracking the forum changes I make. I tried to post the following code into my VB 5.1.5 under an admin account:

Block Disabled:      (Update License Status)
Suspended or Unlicensed Members Cannot View Code.

It breaks the site's layout. I went to usergroup permissions and disabled Allow HTML Code, I also checked Channel Permissions.

I feel like my site is a sitting duck awaiting for someone to wreck havoc on it.

[Lynne]

You tried to post that code where? You are posting it in a thread? If so, post it in [ code ] tags.

[shimei]

Originally Posted by Lynne

You tried to post that code where? You are posting it in a thread? If so, post it in [ code ] tags.

Hi Lynne,

That's exactly what I had done. I make notes in the forum of the changes I make to the website. I put that in the code tags of a thread. Regardless, it breaks the layout.

[Lynne]

Are you putting the html in HTML tags or CODE tags? Now that I think about it, CODE tags will 'parse' what is in there; HTML tags should not.

[shimei]

Hello Lynne,

I am a little unclear about what you mean. I pasted in plain text in code tags.

In or out of the [ code ] tags the code disappears and wrecks the site. Luckily I was able to delete the post because I was still looking on it and did not navigate away from it on one browser. If I even post the following:

<!-- Categories -->

The above code cannot be seen in my page in or outside the code tags. Is this a security issue? I can't see how it isn't because all one needs do is post some code in the browser and my site is wrecked on 5.1.5. I have set no to allow html code wherever it is an option in the admincp, and that's the only thing I could come close to assuming that would prevent it.

I have filled out a support ticket with Vbulletin but it has been days and no solution. If someone post a code into the browser and my site goes down how can I find the post when no posts are visible. Would I have to go to the database and find the culprit post and delete it?

Thanks William

[ForceHSS]

If you allow the admin group to post html code and allow html in the section you need it should work if you only want yourself to post html code make a new admin group and move yourself to it then give that group only html permissions.
Warning: html coding can break your site and cause security problems if you don't know what you are doing

[shimei]

Originally Posted by ForceHSS

If you allow the admin group to post html code and allow html in the section you need it should work if you only want yourself to post html code make a new admin group and move yourself to it then give that group only html permissions.
Warning: html coding can break your site and cause security problems if you don't know what you are doing

Right, I had disabled html coding in all groups and channel permissions. The result is the same and which led me to posting this.

Thanks for your time though,
Shim

[ForceHSS]

Can you post some screenshots with the code breaking and without and a link to your site so someone can give you the correct code if they can

[Replicant]

If you are posting just the code in the original post, it probably will break the page since there is no closing tag for the table. If you want to view the raw html in the post, have you tried the noparse bbcode?

Block Disabled:      (Update License Status)
Suspended or Unlicensed Members Cannot View Code.

[Lynne]

Originally Posted by shimei

Hello Lynne,

I am a little unclear about what you mean. I pasted in plain text in code tags.

I mean you should use [ HTML ] tags instead of [ CODE ] tags.

Block Disabled:      (Update License Status)
Suspended or Unlicensed Members Cannot View Code.

not

Block Disabled:      (Update License Status)
Suspended or Unlicensed Members Cannot View Code.

[shimei]

Originally Posted by ForceHSS

Can you post some screenshots with the code breaking and without and a link to your site so someone can give you the correct code if they can

Here's the result of having posted between either [ code ] or [ html ] tags as Lynne suggested. As you can see the entire site is wrecked (blank).



--------------- Added 13 Mar 2015 at 00:11 ---------------

and here it is before I enter the code:



--------------- Added 13 Mar 2015 at 00:15 ---------------

Originally Posted by Replicant

If you are posting just the code in the original post, it probably will break the page since there is no closing tag for the table. If you want to view the raw html in the post, have you tried the noparse bbcode?

Block Disabled:      (Update License Status)
Suspended or Unlicensed Members Cannot View Code.

Hello Replicant,

Thank you for your support. I have not, my concern at this point is that anyone can enter code into the browser by creating a thread or replying to a post and wrecking the site.

At this point, I'm hoping someone will tell me how to find the post in the database once the site has been wrecked?

Of course, I think this needs be looked at, and I was wondering if others are having this issue or is it my site alone? I am using VB 5.1.5. I am nervous about posting a link to my site here, all I need is for someone to to do this or keep doing it. My site would be down until this is fixed.

Thanks,
Shim

[Replicant]

Post the source from your post that is breaking the page here so we can see what you are doing.

[shimei]

I was copying this page to my forum section where I track the mods I have done to the site. I performed this mod successfully then created a thread and posted this page as a record of my changes. That's when I discovered I could wreck the site through entering any of this code into the browser/thread/post.

http://www.vbulletin.org/forum/showthread.php?t=309785

[Wayne Luke]

I tried to recreate this issue on a fresh installation of vBulletin 5.1.5 with no modifications. Using the [html] tags I get this result:



Using no BBCODE, I do get issues so that will need to be checked and tested more but it doesn't break the entire site. Here is what is does if no BBCode is used:



In both occurrences, the Can Use HTML permission is off globally for Administrators.

Though if you've made other changes to the templates and the above code is compounded on errors that browsers could work around, then this could cause more issues.

[ForceHSS]

As HTML seems to work for Wayne then it must be something you installed like a custom plugin or an edit to a template revert any templates and disable all plugins then test