XSS Mod in 2.0.17 Breaks My URL Tags

[Gadget Wizard]

Some of my forum members use colors in the URL tag like so

[url=http://news.com/][color=green]Click here ...[/color][/url]

After applying the code changes to fix the XSS issue, this no longer works.

Is this an intended affect or is there something else afoot?

tia

[Graham]

That's deliberate. Put the colour outside the url and it will work

[Gadget Wizard]

Thanks for the quik reply.

I figured that was the case. I guess this means all the URL tags constructed this way will no longer function.

eeek!!

[Gadget Wizard]

After looking at my board, a huge number of links are going to be broken if I install the code changes to fix the XSS issue.

Is this a major security issue?

If so, is there another way to plug the hole without breaking all my links?

[Graham]

Let me look into it. Looking at this again when I'm slightly more awake that is not deliberate (Note to self: don't comment on code when you've just got up ). I'd misread where the bracket was.

[Graham]

OK, I've checked and it does work fine

eg
Click here ...

Can you please try the following:
[*] Take a backup of bbcode.php on your forum
[*] Replace with a copy from a new download of 2.0.17

[Gadget Wizard]

Ok, thanks for the help Graham. I just added the XSS code changes to my bbcode.php module rather than replace the module because I have a heavily modded board.

I see now that your example does indeed work. I guess I should have tried it here myself before asking.

I guess there is something else afoot afterall.

I'll try to compare the two modules and see if I can fix it!!

Thanks again!!

[oktracer]

I have a smilar issue with url tags in img tags.

Code: Select all

[url=http://www.aimutation.com/links.php?action=go&link_id=6][img]http://www.aimutation.com/images/tracesig.gif[/img][/url]

Now displays as this

[Graham]

That one is a template issue. Make sure that the image and url replacements in bbcode.tpl are on the same line, or ask in the topic for that style

[oktracer]

Have the same issue on all templates including the default subsilver. This didn't appear until after the 2.0.17 update.

[Gadget Wizard]

Can you please try the following:
[*] Take a backup of bbcode.php on your forum
[*] Replace with a copy from a new download of 2.0.17

I copied over the current bbcode.php just to see if that would correct my URL tag problem but it didn't.

This tells me that I have an issue somewhere else.

Here is what I see.

Code: Select all

[url=http://news.com/][color=green]Click here ...[/color][/url]

produces this



Any suggestions on anywhere else I might look to correct this problem?

Thanks!!

[Graham]

OK, what template are you using?

Can you post the contents of bbcode.tpl from it, I suspect the issue will be in there.

[_daemon_]

i have an issue with img tags probably because of the changes @ bbcode.php
when i try to preview a post the [img] tags dont display the picture but something like [img:20cb8ff15f]http://www.kanet.com/outlaw/outlaw-Ujin4.gif[/img:20cb8ff15f][img:20cb8ff15f]http://www.kanet.com/outlaw/cool.gif[/img:20cb8ff15f]
anyone knows what exactly causes this and if it can be fixed?
When i submit the post everything is ok. thanks

[Gadget Wizard]

OK, what template are you using?

Can you post the contents of bbcode.tpl from it, I suspect the issue will be in there.

I'm using a heavily modded phpXP2 template.

Code: Select all

<!-- BEGIN color_open -->
<span style="color: {COLOR}">
<!-- END color_open -->
<!-- BEGIN color_close -->
</span>
<!-- END color_close -->

[Graham]

Yes, that looks to be the problem, the start of the replacement in there should be on the same line as the BEGIN and the end of it on the same line as the END.

eg

Code: Select all

<!-- BEGIN color_open --><span style="color: {COLOR}"><!-- END color_open -->
<!-- BEGIN color_close --></span><!-- END color_close -->