Thread: Why is letting HTML dangerous?
View Single Post
  #4  
Old 07-30-2007, 08:09 PM
cheat-master30's Avatar
cheat-master30 cheat-master30 is offline
 
Join Date: Mar 2007
Location: Information Classified
Posts: 1,715
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Michelle View Post
I have read everywhere that letting a user post pure HTML is a site suicide.
I have accepted it for years as an axiom, like 1+1=2.
However, I've seen popular blogging sites to allow their bloggers to change the template by providing them its whole HTML, including <script> tags and everything!
Aren't they afraid? Have they taken any "special measures" to prevent abuse, and if so, what measures?
  1. They can use CSS and styling to disrupt the layout massively, or make parts of the login box or other features/links disappear from view.
  2. As said, Javascript cookie stealing.
  3. Javascript causes really annoying effects such as things flying around or maybe the page upside down/flipped.
  4. Iframes to embed viruses and other malware.
  5. Iframes or forms to embed fake forms for phishing purposes/stealing passwords, even making the fake form look part of the site.
  6. Crashing the browser with an extremely large image.
  7. Redirects to other, potentially dangerous/offensive pages.
  8. Browser exploits.
  9. Annoyances such as leaving tags open to turn everything bold under the empty tag or italic or underline etc...
Reply With Quote
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.02062 seconds
  • Memory Usage 1,763KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_quote
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete