Most of us who know php know how to exploit the usertitle, well the code to allow html even if specified not to.

Im just wondering if theres ANYTHING i can do to stop it being exploited. I was talking over a mate how to do it and its got passed on :ermm: it wont get passed on anymore coz. i know he'll keep it to himself. Just what do i do if it does. LOL

Just don't allow anybody to use custom titles.

fairy snuff. But for a few reasons on my boards i prefer them to. Anyway to stop it.

To my knowledge, stock vB doesn't allow it. Make sure you don't have any hacks that break user titles. :)

stock vB?

Unhacked vB.

is it ok to email u the code....? i mean as i dont want to release it.

Wow... Never knew vBulletin had a small exploit there. Apparently it does work with a stock vBulletin as well. It wasn't hard to fix though. If you just look in your member.php file for addslashes($customtext) and replace that with addslashes(htmlspecialchars($customtext)) it should fix the problem. :)

On my board there was no problem and to my knowledge still isn't one. One member used a status of <?= mod ?> (or thereabouts) which would normally be parsed as HTML to most browsers (it would appear as nothing). However you saw the actual text instead.

Yea, it doesn't seem to work for PHP code. It does for HTML though which could still be abused.

It didn't for me. Make sure you're trying it as a nonadministrator.

Doesn't parse PHP or HTML code for me as well.

Make sure you're running the latest version of vB as well, just in case.

Ahhh, the turtle is right again. :D HTML code worked when I tried it as an admin, but not as a regular user.