Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
Reload this Page Why is letting HTML dangerous?
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
Page 1 of 3 1 23
 
Thread Tools Display Modes
  #1  
Old 07-30-2007, 04:08 AM
Lea Verou Lea Verou is offline
 
Join Date: Jul 2005
Location: Greece
Posts: 1,856
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Why is letting HTML dangerous?
I have read everywhere that letting a user post pure HTML is a site suicide.
I have accepted it for years as an axiom, like 1+1=2.
However, I've seen popular blogging sites to allow their bloggers to change the template by providing them its whole HTML, including <script> tags and everything!
Aren't they afraid? Have they taken any "special measures" to prevent abuse, and if so, what measures?
Reply With Quote
  #2  
Old 07-30-2007, 06:04 AM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Yes, allowing HTML can let hackers inject malicious Javascript into a page, which could potentially steal people's cookie data.
Reply With Quote
  #3  
Old 07-30-2007, 08:49 PM
ablaye ablaye is offline
 
Join Date: Dec 2006
Location: WebmasterGround.com
Posts: 65
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Dismounted View Post
Yes, allowing HTML can let hackers inject malicious Javascript into a page, which could potentially steal people's cookie data.
Can you provide an example???
Reply With Quote
  #4  
Old 07-30-2007, 09:09 PM
cheat-master30's Avatar
cheat-master30 cheat-master30 is offline
 
Join Date: Mar 2007
Location: Information Classified
Posts: 1,715
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Michelle View Post
I have read everywhere that letting a user post pure HTML is a site suicide.
I have accepted it for years as an axiom, like 1+1=2.
However, I've seen popular blogging sites to allow their bloggers to change the template by providing them its whole HTML, including <script> tags and everything!
Aren't they afraid? Have they taken any "special measures" to prevent abuse, and if so, what measures?
  1. They can use CSS and styling to disrupt the layout massively, or make parts of the login box or other features/links disappear from view.
  2. As said, Javascript cookie stealing.
  3. Javascript causes really annoying effects such as things flying around or maybe the page upside down/flipped.
  4. Iframes to embed viruses and other malware.
  5. Iframes or forms to embed fake forms for phishing purposes/stealing passwords, even making the fake form look part of the site.
  6. Crashing the browser with an extremely large image.
  7. Redirects to other, potentially dangerous/offensive pages.
  8. Browser exploits.
  9. Annoyances such as leaving tags open to turn everything bold under the empty tag or italic or underline etc...
Reply With Quote
  #5  
Old 07-31-2007, 05:59 AM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by ablaye View Post
Can you provide an example???
No, because then you'd go around trying to exploit forums...
Reply With Quote
  #6  
Old 07-31-2007, 06:08 AM
Lea Verou Lea Verou is offline
 
Join Date: Jul 2005
Location: Greece
Posts: 1,856
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by cheat-master30 View Post
  1. They can use CSS and styling to disrupt the layout massively, or make parts of the login box or other features/links disappear from view.
  2. As said, Javascript cookie stealing.
  3. Javascript causes really annoying effects such as things flying around or maybe the page upside down/flipped.
  4. Iframes to embed viruses and other malware.
  5. Iframes or forms to embed fake forms for phishing purposes/stealing passwords, even making the fake form look part of the site.
  6. Crashing the browser with an extremely large image.
  7. Redirects to other, potentially dangerous/offensive pages.
  8. Browser exploits.
  9. Annoyances such as leaving tags open to turn everything bold under the empty tag or italic or underline etc...
So, they can't harm the whole site, just the current page?
If so, then these blogging sites are not doing anything dangerous, each blog is its blogger's responsibility...
Reply With Quote
  #7  
Old 07-31-2007, 06:20 AM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
But your forum is your responsibility.
Reply With Quote
  #8  
Old 07-31-2007, 06:35 AM
Lea Verou Lea Verou is offline
 
Join Date: Jul 2005
Location: Greece
Posts: 1,856
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Dismounted View Post
But your forum is your responsibility.
Definately.
But I'm going to add blogs to it, and I'm wondering if I should let them customize the whole html template or just the css. That's why I asked
Reply With Quote
  #9  
Old 07-31-2007, 01:33 PM
vertigo jones vertigo jones is offline
 
Join Date: May 2007
Posts: 70
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
There's also things like that Myspace friends worm that happened early on over there.

Had some shit where there was some javascript embedded on someone's profile and then everyone who came to that page was added as a friend to that person AND it also copied itself to the viewing person's profile. Within a day or so the guy who started it was friends with everyone on Myspace. Something like that.

People can do weird, potentially dangerous things when they can stick whatever javascript they want on a page.
Reply With Quote
  #10  
Old 08-01-2007, 08:47 AM
Lea Verou Lea Verou is offline
 
Join Date: Jul 2005
Location: Greece
Posts: 1,856
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
So I'd better let them customize just the css?
Are there any exploits that someone can perform from css?
(We suppose that the code will strip html tags so that's not the case)
Reply With Quote
Reply
Page 1 of 3 1 23

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 06:23 AM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04346 seconds
  • Memory Usage 2,257KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (5)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete