The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
|||
|
|||
allow html
i want to allow html, and block out certain "TAGS" in the user profiles. anyone know how?
... oh come on. i know this is prolly easy as hell, lol. answer? umm, answer? |
#2
|
|||
|
|||
There is no secure way to allow "safe posting of html".
|
#3
|
||||
|
||||
This already exists https://vborg.vbsupport.ru/showthread.php?t=96926 , but I would be wary. There are too many exploits. I would address this the way I would when I deploy a router or a firewall. I would apply some sort of "ALLOW|PERMIT" list to either allow or deny certain HTML tags and attributes, probably specified in a CSS. Doing it in this manner may also allow you to have certain member groups the ability to have more HTML functionality.
I believe if you are very careful and knowledgeable about the functionality and possible exploitation of any tag or attribute, that this is feasible. I have some notes from a "white hat", (or ethical hacking,) presentation I have that I can pass along. Their site, by the way is http://www.whitehatsec.com if you want to read about all known exploits. First we need to identify potentially malicious character strings like: Code:
../ (Directory Transversal) (*, ?, +) (file globbing characters) ";" (Command Appending) ">" "<" "|" (Data Piping & Re-Directs) " and ? (Input String & Command Manipulation) etc... Any web application allowing HTML is at risk. Even when proper precautions are taken, this is not something you can get around. As in all security access control, "ALLOW|PERMIT" lists are the safest way to go. Potentially dangerous HTML: HTML Code:
<APPLET> <BASE> <BODY> <EMBED> <FRAME> <FRAMESET> <HTML> <IFRAME> <IMG> <LAYER> <META> <OBJECT> <P> <SCRIPT> <STYLE> etc... HTML Code:
STYLE SRC HREF TYPE Some of the more well-known exploits and possible solutions: Code:
<SCRIPT>alert('JavaScript Executed');</SCRIPT> Code:
<IMG SRC="javascript:alert('JavaScript Executed');"> Any HTML tag with a SRC attribute will execute this script on page load or on link activation. As filters search for the (JavaScript/LiveScript/Mocha) strings to filter, placing a single line break in the string will cause the string to bypass the filter, but still execute client-side. Code:
<IMG SRC="javasc ript:alert('JavaScript Executed');"> As another derivative of the previous, Decimal HTML entities within these strings can cause filter bypass. Code:
<IMG SRC="javasc ript:alert('JavaScript Executed');"> Code:
<IMG SRC="javasc
ript:alert('JavaScript Executed');"> Code:
<IMG SRC=javasc ript:alert('JavaScript Executed');> Ther are plenty of others, like turning a style tag into a JavaScript expression; importing dangerous CSS, Import a JavaScript Expression through a style tag (good fodder for you IE haters :P ), using the style attribute to evaluate a JavaScript expression, the stripping of and not replacing of keywords from a string may be used to get around certain CGI filters, The use of alternating caps within a line may cause the executable code to pass through due to case sensitivity within pattern matches, and it goes on... So, in order for this to be feasible, we'll need to create a safe HTML Allow list, and compare Allow list against known dangerous HTML tags and attributes. XML, SOAP, and AJAX technologies only compound these issues. Again, I beleive it can be done, though you are playing with fire, but a very THOROUGH understanding of each allowed HTML tag and attribute needs to be done. [/nerd_mode] :P Some of this content is Copyright 2001 WhiteHat Security |
#4
|
|||
|
|||
haha, thanxz i will read all this, but this looks like allowing it in the posts to?.. im not stupid enough to do that. i just want it in the about me and who i like to meet yada yada in the users profiles
come on. just tell me how to parse html in user profile feilds cant be that hard.. lol |
Thread Tools | |
Display Modes | |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|