Version: 1.01, by steadicamop
Developer Last Online: Dec 2014
Category: Miscellaneous Hacks -
Version: 3.6.0
Rating:
Released: 09-02-2006
Last Update: 09-02-2006
Installs: 20
Code Changes
No support by the author.
Disallow HTML code in Thread Titles v1.01
Quote:
Originally Posted by Staff Note
Staff Note: Unmodified vBulletin will not evaluate HTML in thread titles. Using this modification without a hack installed that has security vulnerabilities is useless.
Also installing this modification, even with a modification installed that would make your board vulnerable to this type of HTML posting in thread titles, only will give you a false sense of security since there are many other options to exploit this, even without the use of the ">" character.
Everyone is encouraged to remove or update the vulnerable modification instead of using this hack.
Marco van Herwaarden.
By Jason Williams/Andrew Calderbank
03/09/2006
Recently there has been a spate of members posting html redirection code in thread titles, which when parsed on the forum homepage runs and redirects to whatever site they insert into the title.
This code simply disallows the characters < and > from being used in the thread titles, this is also is checked when editing the post.
It's fairly simple but puts to and end members signing up and posting redirect links. I don't know whether you'd class this as a hack or bug fix, but I hope this helps other members who are frustrated with this issue.
2 file edits
1 new phrase
Should be fairly straightforward to install.
**ALWAYS BACK UP FILES BEFORE YOU EDIT THEM!!**
v1.00
Original release
v1.01
Slight code update
Show Your Support
This modification may not be copied, reproduced or published elsewhere without author's permission.
I was wondering if this security issue applies to 3.5.4 and will this fix work with 3.5.4? Or how to I get the same result making code changes with 3.5.4. Advice would be appreciated.
you need to add the phrase in the text file, its the last step in the instructions:
In the AdminCP -> Language & Phrases -> Phrase Manager -> Add New Phrase
Phrase Type : Front-End Error Messages
Product : VBulletin
Varname : nohtml
Text : Sorry, you are not allowed to post HTML in Threadtitles, please go back and change it.
Have you tried searching for the code in the 3.5.4 files (I'm not totally sure whether postings.php exists in that version), it's something I could look into for that version too.
Have you tried searching for the code in the 3.5.4 files (I'm not totally sure whether postings.php exists in that version), it's something I could look into for that version too.
it does exist but the coding for the includes/functions_newpost.php (or something like that) is different so it can't work with 3.5.4 :cry: if you could do one for 3.5.4 it would be greatly appreciated as someone is constantly doing it to my forum.