HTML Brain Teaser
 

I recently enabled HTML in posts on my forum, but only for members of the "Can use HTML" group. (Thanks to this handy hack.)

And one of my users immediately found a little bug. By putting:

in a post, he was able to screw up the postbit so bad the reply buttons were all gone and such. To prevent it, I tried all these tags after $post[message] in the postbit template:

But the first three had no effect (they just got commented out with everything else from the opening comment tag in the post) and the last one just showed up at the end of every post.

Can you think of a solution to this? (Besides disabling HTML :p)

a) disable html.
b) only allow members that will not #$%# up your board to use html.
c) when b fails, refer to a.

See the words preceding the tongue out smilie. HTML is a powerful tool that (used properly) can dramatically improve the aesthetic quality of a forum.

Disabling it is not an option! :p
There will always be people who are malicious, clueless or careless. I think the answer is to try to make the software foolproof, not cripple it.
So you don't know how to fix it, eh? :D

Adding <!-- to the swear censor might work - I haven't tested it.

IF you don't want users messing up your page layout, stop letting them use html, period.

I am sorry I do not know a 100% fix. And you will run into more problems then just the <!--.

What you need to do is create bb code to allow certain html tags to be used.

The whole idea of not allowing HTML is to prevent precisely what you have had happen.

There's no way around it. If you allow it, you have to limit it..and that defeats the purpose of allowing it.

Ooo... now that's a good idea. Unfortunately I use this user optional word censor hack in place of the regular word censor, so that won't work for me. But thanks for giving it some thought.

What makes completely removing it better than limiting it? I already limit it by restricting it to people who are in a specific group. And you're right, if I have to limit it a lot more than that I might as well not enable it at all.

I have to say... I've seen all the discussion around here and at vb.com over the years about how nobody should ever enable HTML under any circumstance ever ever ever, and it really makes me wonder why Jelsoft hasn't just removed the functionality from vBulletin.

But even if they did, I'd find a way to hack it back in. :)

could you somehow put --> somewhere. that way they would cancel each other out?

I thought I could, but unfortunately if you put that right after $post[message] in the postbit template it shows up in every post. Hmm... maybe I can put it within a comment though. I wonder what effect something like <!-- --> --> might have. I'll keep playing around. :)

ETA: Well I'll be damned. That seems to work! :D

Oops, no it doesn't. :o

Never, ever, ever allow HTML. There is no such thing as a trusted user, and hell no such a thing as a trusted usergroup. There is absolutely no advantage in HTML that is worth the insanely high security risks. Don't allow it anywhere.

Make vB codes for all the HTML you want to allow and make the kiddie scripters use them instead. That should give YOU control and the dynamics you want.

However....Good Luck!

What are the insanely high security risks in enabling HTML? The worst I've heard is that someone could swipe cookies and get my users md5 hashed passwords then try a brute force attack to crack them. But I guarantee my admin password isn't going to get cracked like that, and if it happened to some of my users--while it would be very bad in terms of violating their privacy--I certainly wouldn't call that an insanely high security risk.

What other specific risks do you have in mind?

They can still send those hashes to the server to simulate a logon. You can never guarantee that a password won't get "cracked"--in fact, passwords are notorious for being a horrible means of securing any system given it doesn't really verify that the user in question is who he claims to be.

Hell, for all you know, they could use the HTML in conjunction with some Javascript to fake a login form that redirects to their site, then they can steal your username and password in plain text. They can redirect to their own site for a request to that page. They can use CSS to restyle everything on the page. The list is seemingly endless.

With the exception of tables and more complex multiple argument HTML tags, there is nothing in HTML that can't be safely reproduced in vB code tags.

There is a reason that the only bolded text that I've encountered in a setting description in vB is to never enable HTML.

IMHO they should just go ahead and remove html support all togther. Its a legacy feture really, back in the old days we had to use html because we diden't have bbcode (this is a time way before vB).

There is no reason to turn it on, like other have said, if you enable it you have to limit it which defeats the entire purpose of enabling it. Like filburt1 said, reproduce any html commands you need with bbcode.

Okay let's take a step back here first. Do you know exactly how someone can steal cookies using HTML on my forum? And if they can, are you saying that they can somehow use that cookie to login to the forum as me without cracking the password?

But they can't fake a login form that's going to trick me. I mean I know vBulletin doesn't ever pop up a login window, so it's not like I'm going to forget that and type in my login name and pw. Granted some of my users might fall for that, but then again I'm not as worried about my users accounts being compromised as I am my own. Which is to say if someone was harvesting my users login info that way I would find out about it fast and stop it. But if someone got into my account they could actually do some serious damage.

I don't think a redirect is an insane security risk though.

They can? I'll have to do some testing but that doesn't seem possible.

HTML is a huge specification with a million features and functions that vB code tags can't do. Granted the average forum user would never use any of it, but when you have professional web designers using your site they prefer to have the power and flexibility of HTML.

Is there a reason they don't just remove the setting? :)

Don't get me wrong, I'm far from an expert on vBulletin, or HTML and I'm not just trying to mess with you here. It's just that in the last year I've been lurking around here I've yet to read any concrete, specific security threats of enabling HTML. And I'm just not one to strip down the software functionality unnecessarily. If someone tells me to disable a feature of the software I want to know exactly why I should.

No offense, but don't just quote every sentence I say and dispute it. It annoys the hell out of me when people do that. Remember, nothing personal. :)

I will sum up my statement with the following indisputable fact that any experienced vBulletin administrator or developer will echo:

There is no safe way to enable HTML, and the benefits of enabling it are obliterated by the onslaught of security vulnerabilities it introduces.

I partially agree with Brad in that it probably shouldn't have been implemented for this exact reason, but I also have my own private opinion on that.

Well nothing personal but it annoys the hell out of me when people tell me that actually using one of the features of software that I paid for is an insanely high security risk, but then can't tell me exactly what the risks are. I'm sorry that I'm not a person who just believes whatever I'm told without question, it's a personal problem I have. If you want me to believe that enabling HTML is an insanely high security risk, you're going to have to prove it.

I have seen no proof anywhere that enabling HTML brings an "onslaught of security vulernabilities", and if it does then Jelsoft should release an emergency upgrade that disables the HTML functionality entirely. Since they haven't done that, I'm going to conclude that the risks are exactly what I think they are: Not significantly more than not enabling HTML. People can use IMG and URL vBcodes to trick you into going to a site mimicking yours and then harvest your username and password that way. Does that make the IMG and URL tags an insanely high security risk?

Lastly, I started this thread to discuss an issue with HTML coding. Only about two people have actually responded to the question in the opening post while a dozen of you have chimed in to insist that I not enable HTML. If I am allowed to post HTML questions here, I would prefer it if people who don't have an answer for my questions, like yourself, not derail my thread. I know everyone here means well, but I'm not a 12 yr. old n00b. I don't need anyone to hold my hand here.

However, if you are telling me that I am not allowed to question whether HTML is really a huge security risk, discuss HTML coding on this forum and/or that you intend to post on every such thread with scaremongering about HTML use, then that's fine. I will stop posting here. Just let me know. But don't expect me to just take your (or anyone's) word on things that you can't actually prove.

It's listed right in the admin CP that it's dangerous! If you do not wish to accept my numerous examples of what the use of HTML can lead to, I suggest submitting a ticket at vB.com asking what they recommend. You will receive the same answer: do not enable it.

I've seen allowing html:

Crash the users browsers while they browse forums, redirect to whole new websites with ads and popups, steal cookies and allow users to take over said forum, screw up designs, use said stolen info to take over other things like email accounts ect.

It has NEVER been wise to do so. and everytime one of the other admins allows html on a forum I run I go turn it off. and then rant and rave to them about how its bad, but they re-enable it, and a week later the forums are crashing because someone put some nifty javascript in their singnature and its crashing everyones browsers.

I notice people missed this. The reason its still in there is that it's a feature. Not every forum is open to the general public. Some companies might use the feature if the forum is for internal use only.

Other than that your problems going to be a tricky one since alot of things users can do can disrupt the style if nothing else. You'd probably be better settinging up a load of BB code that gives most of the functionality of HTML with out the risk.

I've seen a few instances where admins will use a forum for announcments, ect and allow html, but no one else can post in them.

That's a good point, and I saw some mention of intranets at vb.com. Still, if it's as much of a security threat as some of these guys seem to think it is I would think they'd just remove it. Employees can wreak just as much havoc (intentionally or by accident) as random Internet people.

Yeah, as I mentioned in my first post I have installed a hack that allows me to enable HTML by usergroup, and I'm only putting select people in it (with the caveat that if they do anything stupid or shady I'll remove them). If I had a much larger forum with a large number of unknown people and me or my co-admin wasn't around all the time I'd be worried. As it is I'm just not.

Thanks for your input guys, but I think if I have any more questions about tweaking HTML I'll take them somewhere else. You lot are just crazy anti-HTML. ;) :D

They won't remove the feature because an equal number of people would complain.

Even if HTML could be enabled per usergroup, and even though you can enable it per forum in conjunction with permissions, I still would not do it. Any permission bug could then lead to people posting HTML.

We're not "anti-HTML." We recognize the inherit dangers of allowing it anywhere on your forums. The true thread is Javascript, but that is delivered in this case through the HTML used. I enormously overwhelmingly strongly recommend you disable HTML instantly and find an alternate solution to your root problem.

*recommends to code your own features for posting instead of relying on html*

No problem - however, just so we are clear, I support the general opinion here.

Anyone who allows users to use html on a public forum is insane, and asking for trouble. A half decent [malicious] coder could write some code in his sig that could do serious damage to the average persons PC very quickly, or equally redirect people to their own site (which could be hard core porn, or worse) and seriously damage the reputation of your forum. Don't do it.

We're clear, but of course the only way to be 100% safe is to take your forum offline. ;)

As an administrator I have to balance the risks - and in this case the biggest risk seems to be the possibility of inadvertently giving HTML rights to a malicious person who is able to do significant damage before I can stop it - against the benefits, such as increased user satisfaction and aesthetic appeal. I appreciate that for everyone here the former easily outweighs the latter, but it's my decision to make and I believe I have all the information I need to make that decision.

You call it insane and asking for trouble, I call it trying to provide the most postive and rewarding environment for my users that the technology affords with a reasonable assessment of the involved risks. Hey, they all said I was crazy for not having any moderation too, but here we are a year later doing just fine. To each his own, I guess. :)

Yes, each to his own. Just don't say we didn't warn you. :)

I just vB doesn't enable PHP in posts. :)

I promise I would never say such a thing. :D

Why not enable HTML in your forums and tell us your forum's URL and maybe some will give it a go, just for sh1ts and giggles, to prove it :D

I don't need proof that people can put malicious code into sigs and posts, I already know that. :) The question is whether the risks are so high that I need to completely disable HTML for all my forum members no matter what, and I don't believe they are. Unless you only visit completely secure, password protected websites anytime you go anywhere on the Internet you open yourself up to the possibility of malicious code. The only way to be 100% safe is to unplug your Internet connection now. Are you gonna do that? :D

I think you're missing the point. HTML is a known security vulnerability. No other part of vB is. By your logic, you're 50% secure by disabling HTML and 100% with no connection, when in fact it is more like 99.9% secure without HTML and 100% with no connection.

Allowing html leads to javascript, or embeded flash ;). Such things can be powerful scripting tools and can take advanage of your users. With bbcode your server is in control of the code, with html on you depend on the end users machine which is always a bad thing when you are allowing users to pass said code to everyone!

I wish you luck if you have enabled it, cause it won't be long..

Have you ever seen The Godfather?

"I keep tryin' to get out, but they keep pullin' me back in!" :D

Actually, no. That's not my logic at all. I have never once said anything about disabling HTML providing only 50% security, I've only said that the only way to protect yourself 100% from encountering malicious code on the Internet is to disconnect your computer from the Internet. That's just a truism.

Here's a question for you: Is it or is it not true that a malicious person could use the IMG and/or URL vBcodes to trick you into going to a porn or warez site, or any other site where you may encounter malicious code?

If yes, then do you believe that allowing the use of the IMG and URL vBcodes is a security risk and that they should never be enabled for any reason? Why or why not?

Using the built-in tags can only deceive the user at worst. HTML can take over your forums.

Although I did disable the [img] tag at my site for security reasons, mainly for retarded bugs in IE that could attach VBScript to images.

I know. Some of my forum users have already posted some really cool stuff using javascript, embedded Flash, and other various applets. Some things that simply wouldn't be possible without HTML. I'm really looking forward to seeing what else they come up with. :)

Indeed. Hopefully our decision to limit HTML use to a select group of users and a continued policy of careful monitoring of the forum will prevent any possibly malicious users from causing any trouble.

A lot of people said exactly the same thing when I told them we didn't plan to moderate for content. For some crazy reason a lot of people seem to think the only possible way to run an Internet forum is like a fascist dictatorship. As I said earlier, though, we've been live a year and have a couple hundred regular, seemingly happy forum users. We're far from a huge forum, but we're not exactly struggling for visitors either. ;)

The time may very well come that I have to disable HTML, make a bunch of strict rules and/or shut the forum down. But until then, I'm going to just keep doing what I think is best for the forum and my users. And at this time that means giving them features and not telling them what they can and cannot talk about. :)

Hmm.. last time you said this I asked you exactly how someone could take over my forum using HTML, and you said they could steal my cookie and use it to login as me. But when I asked you to explain exactly how that's possible you said you don't like it when people argue with you. So are you going to tell me now exactly how someone can steal and use my cookies to take over my forum with HTML, or are you gonna get mad at me for asking again?

:D Okay, well... if I felt that it was too much of a security risk to allow people to post images on my forum, I would take my forum offline. If all I wanted was a place for people to be able to chit chat in plaintext I'd start an IRC room. :)

How about opening you up to unwanted litigation for a start? In today's litigious society if one of your clients/customers gets hacked and they manage to trace it back to your board you're wide open for repurcussions.

Don't be naive enough to think your users won't come after you... we had a software company a few years ago and almost got into trouble ourselves. One of our clients' customer's computers got hit with a virus and they tried to blame our software. After many emails back and forth to our duplication company and several onsite visits, I was able to prove that the virus in fact, came from one of their own employees who was bringing infected disks in from home. He had been hacked and didn't even realize he was causing (and re-causing, and re-re-causing, etc...) the problem!

If I hadn't overheard a conversation about it being the fifth time their systems had to be cleaned (four before they purchased our software), our software company would've been ruined.

I have to agree with the group - raw html is too dangerous!

tmhall,

actions are sometimes worth more then words..
post your url and a 'test' account

Enabling HTML for users? That's a bit insane, you know in IE 6 you can crash the browser in 7 characters (a bug with the <style> tag), but ofcourse the main vulnerability is JavaScript, where a script could easily execute to grab the cookie information, and post it through a hidden iframe to another website, or even make you go to your own profile and jack your user settings up, the possibilities are endless when it comes to it really.

If you want users to be given more powerful options, my suggestion is to create bbcodes via the acp. :)

- Zero Tolerance