vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=15)
-   -   HTML Brain Teaser (https://vborg.vbsupport.ru/showthread.php?t=80202)

zetetic 04-19-2005 09:31 PM

HTML Brain Teaser
 
I recently enabled HTML in posts on my forum, but only for members of the "Can use HTML" group. (Thanks to this handy hack.)

And one of my users immediately found a little bug. By putting:

HTML Code:

<!--
in a post, he was able to screw up the postbit so bad the reply buttons were all gone and such. To prevent it, I tried all these tags after $post[message] in the postbit template:

HTML Code:

<!-- comment -->
<!-- -->
<!---->
-->

But the first three had no effect (they just got commented out with everything else from the opening comment tag in the post) and the last one just showed up at the end of every post.

Can you think of a solution to this? (Besides disabling HTML :p)

DRJ 04-19-2005 09:54 PM

a) disable html.
b) only allow members that will not #$%# up your board to use html.
c) when b fails, refer to a.

zetetic 04-19-2005 10:04 PM

Quote:

Originally Posted by DRJ
a) disable html.

See the words preceding the tongue out smilie. HTML is a powerful tool that (used properly) can dramatically improve the aesthetic quality of a forum.

Disabling it is not an option! :p
Quote:

b) only allow members that will not #$%# up your board to use html.
There will always be people who are malicious, clueless or careless. I think the answer is to try to make the software foolproof, not cripple it.
Quote:

c) when b fails, refer to a.
So you don't know how to fix it, eh? :D

Paul M 04-19-2005 11:56 PM

Adding <!-- to the swear censor might work - I haven't tested it.

Zachery 04-20-2005 12:02 AM

Quote:

Originally Posted by Paul M
Adding <!-- to the swear censor might work - I haven't tested it.

IF you don't want users messing up your page layout, stop letting them use html, period.

DRJ 04-20-2005 12:16 AM

I am sorry I do not know a 100% fix. And you will run into more problems then just the <!--.

What you need to do is create bb code to allow certain html tags to be used.

kall 04-20-2005 12:29 AM

The whole idea of not allowing HTML is to prevent precisely what you have had happen.

There's no way around it. If you allow it, you have to limit it..and that defeats the purpose of allowing it.

zetetic 04-20-2005 12:37 AM

Quote:

Originally Posted by Paul M
Adding <!-- to the swear censor might work - I haven't tested it.

Ooo... now that's a good idea. Unfortunately I use this user optional word censor hack in place of the regular word censor, so that won't work for me. But thanks for giving it some thought.

Quote:

Originally Posted by kall
The whole idea of not allowing HTML is to prevent precisely what you have had happen.

There's no way around it. If you allow it, you have to limit it..and that defeats the purpose of allowing it.

What makes completely removing it better than limiting it? I already limit it by restricting it to people who are in a specific group. And you're right, if I have to limit it a lot more than that I might as well not enable it at all.

I have to say... I've seen all the discussion around here and at vb.com over the years about how nobody should ever enable HTML under any circumstance ever ever ever, and it really makes me wonder why Jelsoft hasn't just removed the functionality from vBulletin.

But even if they did, I'd find a way to hack it back in. :)

kobescoresagain 04-20-2005 01:43 AM

could you somehow put --> somewhere. that way they would cancel each other out?

zetetic 04-20-2005 01:49 AM

Quote:

Originally Posted by kobescoresagain
could you somehow put --> somewhere. that way they would cancel each other out?

I thought I could, but unfortunately if you put that right after $post[message] in the postbit template it shows up in every post. Hmm... maybe I can put it within a comment though. I wonder what effect something like <!-- --> --> might have. I'll keep playing around. :)

ETA: Well I'll be damned. That seems to work! :D

Oops, no it doesn't. :o


All times are GMT. The time now is 10:57 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01063 seconds
  • Memory Usage 1,739KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_html_printable
  • (7)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 

Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete