Disable HTML Code - Security?

[shimei]

Quote:

Originally Posted by ForceHSS

Can you post some screenshots with the code breaking and without and a link to your site so someone can give you the correct code if they can

Here's the result of having posted between either [ code ] or [ html ] tags as Lynne suggested. As you can see the entire site is wrecked (blank).



--------------- Added [DATE]1426201908[/DATE] at [TIME]1426201908[/TIME] ---------------

and here it is before I enter the code:



--------------- Added [DATE]1426202159[/DATE] at [TIME]1426202159[/TIME] ---------------

Quote:

Originally Posted by Replicant

If you are posting just the code in the original post, it probably will break the page since there is no closing tag for the table. If you want to view the raw html in the post, have you tried the noparse bbcode?

Code:

[noparse]<!--added table -->
<table class="forum-list-container stretch catspace">[/noparse]

Hello Replicant,

Thank you for your support. I have not, my concern at this point is that anyone can enter code into the browser by creating a thread or replying to a post and wrecking the site.

At this point, I'm hoping someone will tell me how to find the post in the database once the site has been wrecked?

Of course, I think this needs be looked at, and I was wondering if others are having this issue or is it my site alone? I am using VB 5.1.5. I am nervous about posting a link to my site here, all I need is for someone to to do this or keep doing it. My site would be down until this is fixed.

Thanks,
Shim

[Replicant]

Post the source from your post that is breaking the page here so we can see what you are doing.

[shimei]

I was copying this page to my forum section where I track the mods I have done to the site. I performed this mod successfully then created a thread and posted this page as a record of my changes. That's when I discovered I could wreck the site through entering any of this code into the browser/thread/post.

https://vborg.vbsupport.ru/showthread.php?t=309785

[Wayne Luke]

I tried to recreate this issue on a fresh installation of vBulletin 5.1.5 with no modifications. Using the [html] tags I get this result:



Using no BBCODE, I do get issues so that will need to be checked and tested more but it doesn't break the entire site. Here is what is does if no BBCode is used:



In both occurrences, the Can Use HTML permission is off globally for Administrators.

Though if you've made other changes to the templates and the above code is compounded on errors that browsers could work around, then this could cause more issues.

[ForceHSS]

As HTML seems to work for Wayne then it must be something you installed like a custom plugin or an edit to a template revert any templates and disable all plugins then test

[shimei]

Quote:

Originally Posted by ForceHSS

As HTML seems to work for Wayne then it must be something you installed like a custom plugin or an edit to a template revert any templates and disable all plugins then test

Hello ForceHSS,

Thank you for taking the time to respond. I noticed Wayne said:

Quote:

Using no BBCODE, I do get issues so that will need to be checked and tested more but it doesn't break the entire site. Here is what is does if no BBCode is used:

Later tonight I'll delete that mod and see if the issue is less than breaking the website. Perhaps they are related, that is having done the mod and then posting similar coding in a thread?

Thank you and I'll post the results.

Shim

[ForceHSS]

If you are going to remove the xml of a custom plugin also remove the files as well

[Lynne]

As Wayne said, I had no issues posting using the html code tag. If you are, then something else is amiss.