Why is HTML in forums so dangerous?

[bairy]

In the forum manager // Allow HTML // Admin Help it says

Quote:

This allows users to use HTML while posting. It is strongly recommended that you DO NOT turn this on as it can severely compromise security and/or severely mess up layout if users insert malformed HTML. Even if you set this to Yes, users still cannot use certain tags, including javascript: and about:.

Aside from screwing up the layout, why is it so dangerous? And couldn't the vb team put a filter of 'safe' tags as other sites (blogger, livejournal) do?
I know you can use vbcode and that's fine, and you can make new code to cover tags such as <strike>. It's just sometimes a <table> with css would be really useful in a post.

[Adrian Schneider]

Quote:

Originally Posted by bairy

In the forum manager // Allow HTML // Admin Help it says



Aside from screwing up the layout, why is it so dangerous? And couldn't the vb team put a filter of 'safe' tags as other sites (blogger, livejournal) do?
I know you can use vbcode and that's fine, and you can make new code to cover tags such as <strike>. It's just sometimes a <table> with css would be really useful in a post.

People can steal your cookie information, then load it into their browser and be logged in as you. They can also post harmful content (movies, images, etc). If they were to post <base> tags or iframes, they can muck up all your links or load other sites in your pages.

Javascript is probably the biggest concern, but there many other annoyances.

[Zachariah]

Quote:

Originally Posted by bairy

Aside from screwing up the layout, why is it so dangerous?

One example: I go to your website all the time. It's great. One day go to a HTML thread on your site made by someone who wants to destroy end-user computers with spyway and virus with 1000's of pop ups.

There are times when I enable HTML

- Site staff access to post only
- trusted usergroup w/ users (people that need it on for whatever reason)
- moderated post/thread rights on the forum if open to every day members

Quote:

And couldn't the vb team put a filter of 'safe' tags as other sites (blogger, livejournal) do? It's just sometimes a <table> with css would be really useful in a post.

I have not looked yet, but I bet there are a few hacks out there with a bunch of BB Codes in 1 package. I recall a lot of CSS/HTML markup BB codes for text some time ago.


Custom BB Codes - vBulletin Manual
Its syntax is similar to HTML, but it has the benefit that you (the administrator) can define exactly what codes are allowable in order to prevent unwanted formatting or malicious use.

[good2laugh]

Quote:

Originally Posted by Zachariah

There are times when I enable HTML

- Site staff access to post only
- trusted usergroup w/ users (people that need it on for whatever reason)
- moderated post/thread rights on the forum if open to every day members

Hi, you mention trusted usergroup would or could this include users I've "created" to post RSS feeds. they are in a unique group which isn't viewable on groups and isn't joinable.

I've just noticed some of the yahoo alerts post html links which may be pictures of whatever, but just looks a mess. I don't want to moderate every post. As the users are made up by me is it safe to allow them to use html, I mean nobody can hijack their usename right? or wrong?
I've been hacked, as has others with similar forum topics - and that person is still around and determined to take us all down, so its quite important that I keep things as secure as poss - but I like this rss thingy and want it to post correctly.

In relation to this, I assume on VBoptions I have to allow html - and assume I then go to usergroup permissions to disallow it for all groups except my RSS feeders?

I know basic html only and am a master at the find this code, above that, add this code type instructions I get here.. but that is the extent of my knowledge, so please forgive me if I've just asked a bunch of stupid questions.

TIA

[Zachariah]

Here is what I usaly do when I need HTML enabled on a forum, and have all people from a usergroup have access in posting.

• Create a usergroup that you plan to have access to post HTML.
• Create a forum with HTML enabled.
• Select Forum Permissions from menu Forums & Moderators.

- This will show a list of forums and custom options per usergroup per forum.
Find the forum that you made and edit the usergroups and turn off all options in "Post / Thread Permissions" for the usergroups you want to stop from posting.

Everyone you move to the custom usergroup can post in that HTML enabled forum with out problems.

[kall]

Or, if you didnt want to restrict posting for everyone, don't turn on HTML at the Forum Level, use my Mod: https://vborg.vbsupport.ru/showthread.php?t=96926

[Zachariah]

^_^ - kall nice !!

[good2laugh]

Quote:

Originally Posted by kall

Or, if you didnt want to restrict posting for everyone, don't turn on HTML at the Forum Level, use my Mod: https://vborg.vbsupport.ru/showthread.php?t=96926

Brilliant!! Thank you very much.:banana:

To save me doing two posts, Thanks also to Zachariah

[tgreer]

Also, if you're an XHTML/CSS validation freak, then you'd be allowing users to potentially ruin your markup. Not a security issue, and it wouldn't even necessarily break the site, but if you care about such things, then it matters.

I've considered a form of forum sponsorship which allows vendors in my industry to have their own forum, with HTML enabled, to post newsletters. I've mixed feelings about it.

[antialiasis]

Heh, I made a special hack for forcing signatures with HTML to be approved by a moderator and then I look through them all and change the XHTML to be valid. I'm a markup nazi.