vb.org Archive
Page 1 of 3 1 23
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=15)
-   -   Why is letting HTML dangerous? (https://vborg.vbsupport.ru/showthread.php?t=153764)

Lea Verou 07-30-2007 04:08 AM
Why is letting HTML dangerous?
 
I have read everywhere that letting a user post pure HTML is a site suicide.
I have accepted it for years as an axiom, like 1+1=2.
However, I've seen popular blogging sites to allow their bloggers to change the template by providing them its whole HTML, including <script> tags and everything!
Aren't they afraid? Have they taken any "special measures" to prevent abuse, and if so, what measures?

Dismounted 07-30-2007 06:04 AM
Yes, allowing HTML can let hackers inject malicious Javascript into a page, which could potentially steal people's cookie data.

ablaye 07-30-2007 08:49 PM
Quote:
Originally Posted by Dismounted (Post 1305103)
Yes, allowing HTML can let hackers inject malicious Javascript into a page, which could potentially steal people's cookie data.
Can you provide an example??? :D

cheat-master30 07-30-2007 09:09 PM
Quote:
Originally Posted by Michelle (Post 1305051)
I have read everywhere that letting a user post pure HTML is a site suicide.
I have accepted it for years as an axiom, like 1+1=2.
However, I've seen popular blogging sites to allow their bloggers to change the template by providing them its whole HTML, including <script> tags and everything!
Aren't they afraid? Have they taken any "special measures" to prevent abuse, and if so, what measures?
  1. They can use CSS and styling to disrupt the layout massively, or make parts of the login box or other features/links disappear from view.
  2. As said, Javascript cookie stealing.
  3. Javascript causes really annoying effects such as things flying around or maybe the page upside down/flipped.
  4. Iframes to embed viruses and other malware.
  5. Iframes or forms to embed fake forms for phishing purposes/stealing passwords, even making the fake form look part of the site.
  6. Crashing the browser with an extremely large image.
  7. Redirects to other, potentially dangerous/offensive pages.
  8. Browser exploits.
  9. Annoyances such as leaving tags open to turn everything bold under the empty tag or italic or underline etc...

Dismounted 07-31-2007 05:59 AM
Quote:
Originally Posted by ablaye (Post 1305663)
Can you provide an example??? :D
No, because then you'd go around trying to exploit forums...

Lea Verou 07-31-2007 06:08 AM
Quote:
Originally Posted by cheat-master30 (Post 1305673)
  1. They can use CSS and styling to disrupt the layout massively, or make parts of the login box or other features/links disappear from view.
  2. As said, Javascript cookie stealing.
  3. Javascript causes really annoying effects such as things flying around or maybe the page upside down/flipped.
  4. Iframes to embed viruses and other malware.
  5. Iframes or forms to embed fake forms for phishing purposes/stealing passwords, even making the fake form look part of the site.
  6. Crashing the browser with an extremely large image.
  7. Redirects to other, potentially dangerous/offensive pages.
  8. Browser exploits.
  9. Annoyances such as leaving tags open to turn everything bold under the empty tag or italic or underline etc...
So, they can't harm the whole site, just the current page?
If so, then these blogging sites are not doing anything dangerous, each blog is its blogger's responsibility...

Dismounted 07-31-2007 06:20 AM
But your forum is your responsibility.

Lea Verou 07-31-2007 06:35 AM
Quote:
Originally Posted by Dismounted (Post 1305960)
But your forum is your responsibility.
Definately. :)
But I'm going to add blogs to it, and I'm wondering if I should let them customize the whole html template or just the css. That's why I asked :)

vertigo jones 07-31-2007 01:33 PM
There's also things like that Myspace friends worm that happened early on over there.

Had some shit where there was some javascript embedded on someone's profile and then everyone who came to that page was added as a friend to that person AND it also copied itself to the viewing person's profile. Within a day or so the guy who started it was friends with everyone on Myspace. Something like that.

People can do weird, potentially dangerous things when they can stick whatever javascript they want on a page.

Lea Verou 08-01-2007 08:47 AM
So I'd better let them customize just the css?
Are there any exploits that someone can perform from css?
(We suppose that the code will strip html tags so that's not the case)


All times are GMT. The time now is 10:38 PM.
Page 1 of 3 1 23
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01030 seconds
  • Memory Usage 1,737KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (5)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete