Go Back   vb.org Archive > vBulletin Modifications > Archive > vB.org Archives > vBulletin 3.6 > vBulletin 3.6 Add-ons
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools
Disallow HTML code in Thread Titles Details »»
Disallow HTML code in Thread Titles
Version: 1.01, by steadicamop steadicamop is offline
Developer Last Online: Dec 2014 Show Printable Version Email this Page

Category: Miscellaneous Hacks - Version: 3.6.0 Rating:
Released: 09-02-2006 Last Update: 09-02-2006 Installs: 20
Code Changes  
No support by the author.

Disallow HTML code in Thread Titles v1.01

Quote:
Originally Posted by Staff Note
Staff Note:
Unmodified vBulletin will not evaluate HTML in thread titles. Using this modification without a hack installed that has security vulnerabilities is useless.

Also installing this modification, even with a modification installed that would make your board vulnerable to this type of HTML posting in thread titles, only will give you a false sense of security since there are many other options to exploit this, even without the use of the ">" character.

Everyone is encouraged to remove or update the vulnerable modification instead of using this hack.

Marco van Herwaarden.
By Jason Williams/Andrew Calderbank
03/09/2006

Recently there has been a spate of members posting html redirection code in thread titles, which when parsed on the forum homepage runs and redirects to whatever site they insert into the title.

This code simply disallows the characters < and > from being used in the thread titles, this is also is checked when editing the post.

It's fairly simple but puts to and end members signing up and posting redirect links. I don't know whether you'd class this as a hack or bug fix, but I hope this helps other members who are frustrated with this issue.

2 file edits
1 new phrase

Should be fairly straightforward to install.

**ALWAYS BACK UP FILES BEFORE YOU EDIT THEM!!**

v1.00

Original release

v1.01

Slight code update

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.

Comments
  #12  
Old 09-03-2006, 11:11 PM
Nuguru Nuguru is offline
 
Join Date: Jun 2006
Posts: 93
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hello,

I was wondering if this security issue applies to 3.5.4 and will this fix work with 3.5.4? Or how to I get the same result making code changes with 3.5.4. Advice would be appreciated.



Thank You,

Nuguru
Reply With Quote
  #13  
Old 09-04-2006, 12:59 AM
eclectica eclectica is offline
 
Join Date: Sep 2003
Location: Brooklyn, New York
Posts: 64
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Isn't this a vBulletin bug you are fixing?
Reply With Quote
  #14  
Old 09-04-2006, 11:27 AM
chimaira chimaira is offline
 
Join Date: Feb 2005
Posts: 93
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by steadicamop
Ok, replace the code for this:

Code:
	elseif (preg_match('/<|>/',$vbulletin->GPC['title']))
	    eval(standard_error(fetch_error('nohtml')));
That should solve it.
replace what code with that exactly ?

Code:
if (preg_match('/<|>/',$post['title']))
	    $errors[] = fetch_error('nohtml');
^^ that?
Reply With Quote
  #15  
Old 09-04-2006, 12:57 PM
xman_79's Avatar
xman_79 xman_79 is offline
 
Join Date: Jun 2006
Location: Romania
Posts: 65
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

The ideea is very good , but i have a problem.

I wrote in the title a HTMl code and it worked (the html code) . I wrote the second time and the message :Could not find phrase 'nohtml' appeared.

Please tell me how can I solve the problem .

Thanks .
Reply With Quote
  #16  
Old 09-04-2006, 01:54 PM
steadicamop's Avatar
steadicamop steadicamop is offline
 
Join Date: Jul 2004
Location: Lancashire, UK
Posts: 379
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

you need to add the phrase in the text file, its the last step in the instructions:

In the AdminCP -> Language & Phrases -> Phrase Manager -> Add New Phrase

Phrase Type : Front-End Error Messages
Product : VBulletin
Varname : nohtml
Text : Sorry, you are not allowed to post HTML in Thread titles, please go back and change it.

HTH
Reply With Quote
  #17  
Old 09-04-2006, 03:11 PM
apdcanari apdcanari is offline
 
Join Date: May 2005
Location: Belgique
Posts: 97
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Vb 3.5.4 ? Please
Reply With Quote
  #18  
Old 09-04-2006, 04:37 PM
redlabour's Avatar
redlabour redlabour is offline
 
Join Date: Mar 2004
Location: Wuppertal, NRW, Germany
Posts: 1,541
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thx ... these Guys tried it at my Project !
Reply With Quote
  #19  
Old 09-04-2006, 06:46 PM
steadicamop's Avatar
steadicamop steadicamop is offline
 
Join Date: Jul 2004
Location: Lancashire, UK
Posts: 379
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by apdcanari
Vb 3.5.4 ? Please
Have you tried searching for the code in the 3.5.4 files (I'm not totally sure whether postings.php exists in that version), it's something I could look into for that version too.
Reply With Quote
  #20  
Old 09-04-2006, 06:52 PM
steadicamop's Avatar
steadicamop steadicamop is offline
 
Join Date: Jul 2004
Location: Lancashire, UK
Posts: 379
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by chimaira
replace what code with that exactly ?

Code:
if (preg_match('/<|>/',$post['title']))
	    $errors[] = fetch_error('nohtml');
^^ that?
Only replace the code with that if you installed v1.00 - which I think didn't last too long before the update, the new file has the correct code in.
Reply With Quote
  #21  
Old 09-05-2006, 04:14 AM
smoothfuego smoothfuego is offline
 
Join Date: Apr 2006
Posts: 1
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by steadicamop
Have you tried searching for the code in the 3.5.4 files (I'm not totally sure whether postings.php exists in that version), it's something I could look into for that version too.
it does exist but the coding for the includes/functions_newpost.php (or something like that) is different so it can't work with 3.5.4 :cry: if you could do one for 3.5.4 it would be greatly appreciated as someone is constantly doing it to my forum.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 01:51 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04706 seconds
  • Memory Usage 2,302KB
  • Queries Executed 25 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (3)bbcode_code
  • (5)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (6)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (3)pagenav_pagelink
  • (11)post_thanks_box
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete