Disable HTML Code - Security?

[shimei]

Hello,

I was wondering whether others were experiencing the same issues as I am. I keep notes by tracking the forum changes I make. I tried to post the following code into my VB 5.1.5 under an admin account:

Code:

<!--added table -->
<table class="forum-list-container stretch catspace">

It breaks the site's layout. I went to usergroup permissions and disabled Allow HTML Code, I also checked Channel Permissions.

I feel like my site is a sitting duck awaiting for someone to wreck havoc on it.

[Lynne]

You tried to post that code where? You are posting it in a thread? If so, post it in [ code ] tags.

[shimei]

Quote:

Originally Posted by Lynne

You tried to post that code where? You are posting it in a thread? If so, post it in [ code ] tags.

Hi Lynne,

That's exactly what I had done. I make notes in the forum of the changes I make to the website. I put that in the code tags of a thread. Regardless, it breaks the layout.

[Lynne]

Are you putting the html in HTML tags or CODE tags? Now that I think about it, CODE tags will 'parse' what is in there; HTML tags should not.

[shimei]

Hello Lynne,

I am a little unclear about what you mean. I pasted in plain text in code tags.

In or out of the [ code ] tags the code disappears and wrecks the site. Luckily I was able to delete the post because I was still looking on it and did not navigate away from it on one browser. If I even post the following:

<!-- Categories -->

The above code cannot be seen in my page in or outside the code tags. Is this a security issue? I can't see how it isn't because all one needs do is post some code in the browser and my site is wrecked on 5.1.5. I have set no to allow html code wherever it is an option in the admincp, and that's the only thing I could come close to assuming that would prevent it.

I have filled out a support ticket with Vbulletin but it has been days and no solution. If someone post a code into the browser and my site goes down how can I find the post when no posts are visible. Would I have to go to the database and find the culprit post and delete it?

Thanks William

[ForceHSS]

If you allow the admin group to post html code and allow html in the section you need it should work if you only want yourself to post html code make a new admin group and move yourself to it then give that group only html permissions.
Warning: html coding can break your site and cause security problems if you don't know what you are doing

[shimei]

Quote:

Originally Posted by ForceHSS

If you allow the admin group to post html code and allow html in the section you need it should work if you only want yourself to post html code make a new admin group and move yourself to it then give that group only html permissions.
Warning: html coding can break your site and cause security problems if you don't know what you are doing

Right, I had disabled html coding in all groups and channel permissions. The result is the same and which led me to posting this.

Thanks for your time though,
Shim

[ForceHSS]

Can you post some screenshots with the code breaking and without and a link to your site so someone can give you the correct code if they can

[Replicant]

If you are posting just the code in the original post, it probably will break the page since there is no closing tag for the table. If you want to view the raw html in the post, have you tried the noparse bbcode?

Code:

[noparse]<!--added table -->
<table class="forum-list-container stretch catspace">[/noparse]

[Lynne]

Quote:

Originally Posted by shimei

Hello Lynne,

I am a little unclear about what you mean. I pasted in plain text in code tags.

I mean you should use [ HTML ] tags instead of [ CODE ] tags.

HTML Code:

<!--added table -->
<table class="forum-list-container stretch catspace">

not

Code:

<!--added table -->
<table class="forum-list-container stretch catspace">