Are they certain HTML commands?

XSS is cross-side scripting. In a nutshell it allows people to inject malicious Javascript that captures the user's cookies (which remember, one of them is the user's hashed password) and redirect them to their own side so they can be brute force attacked and eventually reverted back to the original password.

Additionally to that with some javascript can have arbitrary commands executed when an admin views a page with the malicious code.

i.e. iframe with src pointing to /admin/....?....&username="+getCookie('bbusername')+"

I'm not sure if iframes inherit the cookies.

There is no way of enabling HTML and keeping your site secure. :)

In any case, there is a thread on vB.com about turning on HTML and keeping it as safe as possible.

Is there a way to block Xss scripts without upgrading? Is the only other way to turn off html? If there is a certain command to run xss scripts, can't you just add that command to your censor list?

I have "<iframe" added to my censor list and nobody can run an iframe, yet they can still run html. Something like this possible?

Never, ever enable HTML anywhere on your board. There is no 100% secure way of enabling it and still letting users post in it.

Today at 05:51 PM filburt1 said this in Post #6 (https://vborg.vbsupport.ru/showthread.php?postid=382749#post382749)
Never, ever disable HTML anywhere on your board. There is no 100% secure way of enabling it and still letting users post in it.


You mean never ever enable it.

Maybe I could get some help. how creating a secure way to run it.

Today at 01:53 AM Gutspiller said this in Post #8 (https://vborg.vbsupport.ru/showthread.php?postid=382750#post382750)
You mean never ever enable it.

Maybe I could get some help. how creating a secure way to run it.
Why do you need HTML? What feature does it add to your board that you can not have with bbcode?

You can really create a new bbcode for many HTML commands you need in your site and then disable the HTML altogether.

Or another alternative may be enabling it for certain (trusted) usergroups only and disabling for the rest (Check Hack releases forum for this hack).

As filbert stated do not enable it for all if you don't want a site that has serious security gaps.

Yesterday at 06:53 PM Gutspiller said this in Post #8 (https://vborg.vbsupport.ru/showthread.php?postid=382750#post382750)
You mean never ever enable it.

Maybe I could get some help. how creating a secure way to run it.

bbcode is your secure way of running it.

I think bbcode has it's limits. Back when I was changing up my bbcode more often than I am now, if I remember right, bbcode can't do 2 options only one. Personally I kinda thought bbcode was limited. I have wav files enabled for posting, flash files. People can post images stating both the height and width the image. I think with bbcode, you can't tell it what you want the height and the width to be. You can put an option when you are creating the bbcode, but then that option would have to be both the width and height. That is if I remember right.

I do remember one reason why I need html enabled. The smilies that I have above the text field where people type their images are clickable. I believe it's using one of Fireflys hacks. to insert the smilie into the users post it adds the image using a line like this:

<img src=images/icons/icon180.gif>

I might be able to dig up the hack with the instructions and maybe somebody could look at it for me and see if they could get the same hack to work without having to have html enabled for the board to recognize the smilies that are inserted into posts?

I think that was the main reason why I add html turned on.

I do however have the following commands in my censorship area:

<style </style <iframe </iframe <link </link <basefont </basefont <base </base <th </th <tfoot </tfoot <tbody </tbody <thead </thead <body </body <meta </meta <script </script <html </html <plaintext </plaintext <xmp </xmp <object <noframes <noembed <noscript <nojava onload onMouseover <fieldset :absolute style="position "position absolute; <caption

Those alone seem to keep out the nastier ones I have found some of my members using. With all those censored, I believe I have very little to no holes with the enabled html, however I know that there are probably some that I have missed, so if somebody is willing to help me get that hack that I mentioned above to get it to work without html, I would be willing to switch.

How about this seemingly innocent thing?
<a href="#" onMouseOut="doBadStuff()">
The point is you must turn it off or your site will eventually be hacked.

04-16-03 at 03:33 PM filburt1 said this in Post #12 (https://vborg.vbsupport.ru/showthread.php?postid=383093#post383093)
How about this seemingly innocent thing?
<a href="#" onMouseOut="doBadStuff()">
The point is you must turn it off or your site will eventually be hacked.

Just added onmouseout to censored words, now it will appear as


<a href="#" **********="doBadStuff()">


See, not that hard. Just need help with peep thinking of other words to censor so they don't run. I think it's possible to run html if you do this and if I get some more help on other html "commands" to censor.

You dont understand. There are possibly literally hundreds of ways to execute Javascript on a page. Just turn off HTML and the risk will be gone.

Today at 09:20 AM filburt1 said this in Post #14 (https://vborg.vbsupport.ru/showthread.php?postid=384225#post384225)
You dont understand. There are possibly literally hundreds of ways to execute Javascript on a page. Just turn off HTML and the risk will be gone. What makes VBcode so safe if it uses html too? :ermm:

Because you have complete control over what HTML it uses, and it scrubs any HTML the user sends.