The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#31
|
||||
|
||||
Quote:
|
#32
|
||||
|
||||
Quote:
|
#33
|
|||
|
|||
I think you're missing the point. HTML is a known security vulnerability. No other part of vB is. By your logic, you're 50% secure by disabling HTML and 100% with no connection, when in fact it is more like 99.9% secure without HTML and 100% with no connection.
|
#34
|
|||
|
|||
Allowing html leads to javascript, or embeded flash . Such things can be powerful scripting tools and can take advanage of your users. With bbcode your server is in control of the code, with html on you depend on the end users machine which is always a bad thing when you are allowing users to pass said code to everyone!
I wish you luck if you have enabled it, cause it won't be long.. |
#35
|
||||
|
||||
Have you ever seen The Godfather?
"I keep tryin' to get out, but they keep pullin' me back in!" Quote:
Here's a question for you: Is it or is it not true that a malicious person could use the IMG and/or URL vBcodes to trick you into going to a porn or warez site, or any other site where you may encounter malicious code? If yes, then do you believe that allowing the use of the IMG and URL vBcodes is a security risk and that they should never be enabled for any reason? Why or why not? |
#36
|
|||
|
|||
Using the built-in tags can only deceive the user at worst. HTML can take over your forums.
Although I did disable the [img] tag at my site for security reasons, mainly for retarded bugs in IE that could attach VBScript to images. |
#37
|
|||||
|
|||||
Quote:
Quote:
Quote:
The time may very well come that I have to disable HTML, make a bunch of strict rules and/or shut the forum down. But until then, I'm going to just keep doing what I think is best for the forum and my users. And at this time that means giving them features and not telling them what they can and cannot talk about. Quote:
Quote:
|
#38
|
|||
|
|||
Quote:
Don't be naive enough to think your users won't come after you... we had a software company a few years ago and almost got into trouble ourselves. One of our clients' customer's computers got hit with a virus and they tried to blame our software. After many emails back and forth to our duplication company and several onsite visits, I was able to prove that the virus in fact, came from one of their own employees who was bringing infected disks in from home. He had been hacked and didn't even realize he was causing (and re-causing, and re-re-causing, etc...) the problem! If I hadn't overheard a conversation about it being the fifth time their systems had to be cleaned (four before they purchased our software), our software company would've been ruined. I have to agree with the group - raw html is too dangerous! |
#39
|
||||
|
||||
tmhall,
actions are sometimes worth more then words.. post your url and a 'test' account |
#40
|
||||
|
||||
Enabling HTML for users? That's a bit insane, you know in IE 6 you can crash the browser in 7 characters (a bug with the <style> tag), but ofcourse the main vulnerability is JavaScript, where a script could easily execute to grab the cookie information, and post it through a hidden iframe to another website, or even make you go to your own profile and jack your user settings up, the possibilities are endless when it comes to it really.
If you want users to be given more powerful options, my suggestion is to create bbcodes via the acp. - Zero Tolerance |
Thread Tools | |
Display Modes | |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|