phpBB • Creating Communities Worldwide

[psoTFX]

For those people operating phpBB with HTML enabled we have been notified by Marvin Massih of a possible cross site scripting issue. It will affect primarily those who have enabled the <a> (anchor tag) but it may impact certain other tags too depending on what functionality they offer.

The problem occurs because users may enter "javascript:" within a given url ... which can of course be used to grab local cookie (for example) information from the client.

At this time we advise everyone with HTML enabled to remove the a tag from the list of allowed tags (Admin Panel -> General -> Configuration -> Allowed tags). There really is no reason to allow the anchor tag anyway, BBCode provides appropriate functionality for linking.

We will continue looking at potential solutions to this but it isn't necessarily a straightforward issue to solve without impacting the very functionality the <a> tag can give you (same applies to any other tag that may be affected).

Of course our advice remains, as it always has, to only enable HTML if you positively, absolutely have no alternative. There are various BBCode Mods available here and elsewhere which offer the functionality of a number of common HTML tags ... while reducing considerably the risk of layout and privacy issues.