HTML Brain Teaser

[filburt1]

Never, ever, ever allow HTML. There is no such thing as a trusted user, and hell no such a thing as a trusted usergroup. There is absolutely no advantage in HTML that is worth the insanely high security risks. Don't allow it anywhere.

[noppid]

Make vB codes for all the HTML you want to allow and make the kiddie scripters use them instead. That should give YOU control and the dynamics you want.

However....Good Luck!

[zetetic]

Quote:

Originally Posted by filburt1

Never, ever, ever allow HTML. There is no such thing as a trusted user, and hell no such a thing as a trusted usergroup. There is absolutely no advantage in HTML that is worth the insanely high security risks. Don't allow it anywhere.

What are the insanely high security risks in enabling HTML? The worst I've heard is that someone could swipe cookies and get my users md5 hashed passwords then try a brute force attack to crack them. But I guarantee my admin password isn't going to get cracked like that, and if it happened to some of my users--while it would be very bad in terms of violating their privacy--I certainly wouldn't call that an insanely high security risk.

What other specific risks do you have in mind?

[filburt1]

Quote:

Originally Posted by tmhall

What are the insanely high security risks in enabling HTML? The worst I've heard is that someone could swipe cookies and get my users md5 hashed passwords then try a brute force attack to crack them. But I guarantee my admin password isn't going to get cracked like that, and if it happened to some of my users--while it would be very bad in terms of violating their privacy--I certainly wouldn't call that an insanely high security risk.

What other specific risks do you have in mind?

They can still send those hashes to the server to simulate a logon. You can never guarantee that a password won't get "cracked"--in fact, passwords are notorious for being a horrible means of securing any system given it doesn't really verify that the user in question is who he claims to be.

Hell, for all you know, they could use the HTML in conjunction with some Javascript to fake a login form that redirects to their site, then they can steal your username and password in plain text. They can redirect to their own site for a request to that page. They can use CSS to restyle everything on the page. The list is seemingly endless.

With the exception of tables and more complex multiple argument HTML tags, there is nothing in HTML that can't be safely reproduced in vB code tags.

There is a reason that the only bolded text that I've encountered in a setting description in vB is to never enable HTML.

[Brad]

IMHO they should just go ahead and remove html support all togther. Its a legacy feture really, back in the old days we had to use html because we diden't have bbcode (this is a time way before vB).

There is no reason to turn it on, like other have said, if you enable it you have to limit it which defeats the entire purpose of enabling it. Like filburt1 said, reproduce any html commands you need with bbcode.

[zetetic]

Quote:

Originally Posted by filburt1

They can still send those hashes to the server to simulate a logon. You can never guarantee that a password won't get "cracked"--in fact, passwords are notorious for being a horrible means of securing any system given it doesn't really verify that the user in question is who he claims to be.

Okay let's take a step back here first. Do you know exactly how someone can steal cookies using HTML on my forum? And if they can, are you saying that they can somehow use that cookie to login to the forum as me without cracking the password?

Quote:

Hell, for all you know, they could use the HTML in conjunction with some Javascript to fake a login form that redirects to their site, then they can steal your username and password in plain text.

But they can't fake a login form that's going to trick me. I mean I know vBulletin doesn't ever pop up a login window, so it's not like I'm going to forget that and type in my login name and pw. Granted some of my users might fall for that, but then again I'm not as worried about my users accounts being compromised as I am my own. Which is to say if someone was harvesting my users login info that way I would find out about it fast and stop it. But if someone got into my account they could actually do some serious damage.

Quote:

They can redirect to their own site for a request to that page.

I don't think a redirect is an insane security risk though.

Quote:

They can use CSS to restyle everything on the page. The list is seemingly endless.

They can? I'll have to do some testing but that doesn't seem possible.

Quote:

With the exception of tables and more complex multiple argument HTML tags, there is nothing in HTML that can't be safely reproduced in vB code tags.

HTML is a huge specification with a million features and functions that vB code tags can't do. Granted the average forum user would never use any of it, but when you have professional web designers using your site they prefer to have the power and flexibility of HTML.

Quote:

There is a reason that the only bolded text that I've encountered in a setting description in vB is to never enable HTML.

Is there a reason they don't just remove the setting?

Don't get me wrong, I'm far from an expert on vBulletin, or HTML and I'm not just trying to mess with you here. It's just that in the last year I've been lurking around here I've yet to read any concrete, specific security threats of enabling HTML. And I'm just not one to strip down the software functionality unnecessarily. If someone tells me to disable a feature of the software I want to know exactly why I should.

[filburt1]

No offense, but don't just quote every sentence I say and dispute it. It annoys the hell out of me when people do that. Remember, nothing personal.

I will sum up my statement with the following indisputable fact that any experienced vBulletin administrator or developer will echo:

There is no safe way to enable HTML, and the benefits of enabling it are obliterated by the onslaught of security vulnerabilities it introduces.

I partially agree with Brad in that it probably shouldn't have been implemented for this exact reason, but I also have my own private opinion on that.

[zetetic]

Quote:

Originally Posted by filburt1

No offense, but don't just quote every sentence I say and dispute it. It annoys the hell out of me when people do that. Remember, nothing personal.

I will sum up my statement with the following indisputable fact that any experienced vBulletin administrator or developer will echo:

There is no safe way to enable HTML, and the benefits of enabling it are obliterated by the onslaught of security vulnerabilities it introduces.

I partially agree with Brad in that it probably shouldn't have been implemented for this exact reason, but I also have my own private opinion on that.

Well nothing personal but it annoys the hell out of me when people tell me that actually using one of the features of software that I paid for is an insanely high security risk, but then can't tell me exactly what the risks are. I'm sorry that I'm not a person who just believes whatever I'm told without question, it's a personal problem I have. If you want me to believe that enabling HTML is an insanely high security risk, you're going to have to prove it.

I have seen no proof anywhere that enabling HTML brings an "onslaught of security vulernabilities", and if it does then Jelsoft should release an emergency upgrade that disables the HTML functionality entirely. Since they haven't done that, I'm going to conclude that the risks are exactly what I think they are: Not significantly more than not enabling HTML. People can use IMG and URL vBcodes to trick you into going to a site mimicking yours and then harvest your username and password that way. Does that make the IMG and URL tags an insanely high security risk?

Lastly, I started this thread to discuss an issue with HTML coding. Only about two people have actually responded to the question in the opening post while a dozen of you have chimed in to insist that I not enable HTML. If I am allowed to post HTML questions here, I would prefer it if people who don't have an answer for my questions, like yourself, not derail my thread. I know everyone here means well, but I'm not a 12 yr. old n00b. I don't need anyone to hold my hand here.

However, if you are telling me that I am not allowed to question whether HTML is really a huge security risk, discuss HTML coding on this forum and/or that you intend to post on every such thread with scaremongering about HTML use, then that's fine. I will stop posting here. Just let me know. But don't expect me to just take your (or anyone's) word on things that you can't actually prove.

[filburt1]

It's listed right in the admin CP that it's dangerous! If you do not wish to accept my numerous examples of what the use of HTML can lead to, I suggest submitting a ticket at vB.com asking what they recommend. You will receive the same answer: do not enable it.

[Zachery]

Quote:

Originally Posted by tmhall

Well nothing personal but it annoys the hell out of me when people tell me that actually using one of the features of software that I paid for is an insanely high security risk, but then can't tell me exactly what the risks are. I'm sorry that I'm not a person who just believes whatever I'm told without question, it's a personal problem I have. If you want me to believe that enabling HTML is an insanely high security risk, you're going to have to prove it.

I have seen no proof anywhere that enabling HTML brings an "onslaught of security vulernabilities", and if it does then Jelsoft should release an emergency upgrade that disables the HTML functionality entirely. Since they haven't done that, I'm going to conclude that the risks are exactly what I think they are: Not significantly more than not enabling HTML. People can use IMG and URL vBcodes to trick you into going to a site mimicking yours and then harvest your username and password that way. Does that make the IMG and URL tags an insanely high security risk?

Lastly, I started this thread to discuss an issue with HTML coding. Only about two people have actually responded to the question in the opening post while a dozen of you have chimed in to insist that I not enable HTML. If I am allowed to post HTML questions here, I would prefer it if people who don't have an answer for my questions, like yourself, not derail my thread. I know everyone here means well, but I'm not a 12 yr. old n00b. I don't need anyone to hold my hand here.

However, if you are telling me that I am not allowed to question whether HTML is really a huge security risk, discuss HTML coding on this forum and/or that you intend to post on every such thread with scaremongering about HTML use, then that's fine. I will stop posting here. Just let me know. But don't expect me to just take your (or anyone's) word on things that you can't actually prove.

I've seen allowing html:

Crash the users browsers while they browse forums, redirect to whole new websites with ads and popups, steal cookies and allow users to take over said forum, screw up designs, use said stolen info to take over other things like email accounts ect.

It has NEVER been wise to do so. and everytime one of the other admins allows html on a forum I run I go turn it off. and then rant and rave to them about how its bad, but they re-enable it, and a week later the forums are crashing because someone put some nifty javascript in their singnature and its crashing everyones browsers.