davidshook wrote: Major issue (at least on my board).
For some reason, guests can include html tags in the topic description.
That also includes JAVASCRIPT!!!
Would be nice if I could limit this only to a few html tags, or to bbcode only!!!
I am not sure if this is occuring becuase I have other MOD's interfering with this.
Code: Select all
submit_post($mode, $post_data, $return_message, $return_meta, $forum_id, $topic_id, $post_id, $poll_id, $topic_type, $bbcode_on, $html_on, $smilies_on, $attach_sig, $bbcode_uid, str_replace("\'", "''", $username), str_replace("\'", "''", $subject),str_replace("\'", "''", $description), $desc4mod,str_replace("\'", "''", $message), str_replace("\'", "''", $poll_title), $poll_options, $poll_length, $topic_calendar_time, $topic_calendar_duration);
davidshook wrote: This is a significant security risk. Any solutions?
Code: Select all
//DMdm Mod to hide the heritage forum from tooltips, since they slow rendering of the page
if ( !($forum_id = 10) ) {
$topic_tool = ( show_tooltip ( $forum_id, $topic_id ) ) ? topic_tooltip ( $topic_id ) : '';
}
Code: Select all
#
#-----[ OPEN ]------------------------------------------------
#
templates/cobalt20/posting_body.tpl
#
#-----[ FIND ]------------------------------------------------
#
<td class="row1" width="22%"><span class="gen"><b>{L_DESCRIPTION}</b></span></td>
#
#-----[ REPLACE WITH ]------------------------------------------------
#
<td class="row1" width="22%" align="right"><span class="genmed"><b>{L_DESCRIPTION}</b></span></td>