Dangers of allowing HTML?

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
Locked
thebassman
Registered User
Posts: 103
Joined: Fri Mar 26, 2004 2:00 am
Location: Toronto, Ontario, Canada

Dangers of allowing HTML?

Post by thebassman » Tue Jun 14, 2005 4:58 am

I just installed the FIND mod (RSS feeds, etc), and it would be beneficial to allow HTML. I know there is an HTML Admin Only mod, but I was wonder what the dangers are in just allowing it for the whole board? I really only need to allow a couple codes, like <p>,<br>,<b>,<i>,<u>, <a href...>, etc...

User avatar
End of a Shadow
Registered User
Posts: 1557
Joined: Sun Apr 27, 2003 6:39 pm
Location: Washington
Name: J G
Contact:

Post by End of a Shadow » Tue Jun 14, 2005 5:11 am

None really, but if you let <img> slip by you, then things could become a problem. Lately people have been using the <img> tag to use .php extention files for images. Sometimes these images are not images at all and are scripts which can carry malicious data and/or adware/spyware. Whereas phpBB has it built in to only accept certain file extentions for the [img] BBCodes such as .jpg, .gif, and .png and thats it. All others will appear as a broken link text. And good old <img> HTML tags carry no restrictions.

So depends on what tags you are planning to use.

thebassman
Registered User
Posts: 103
Joined: Fri Mar 26, 2004 2:00 am
Location: Toronto, Ontario, Canada

Post by thebassman » Tue Jun 14, 2005 6:53 am

So if I turn it on, can I just specify which ones I would want to be able to use?

User avatar
End of a Shadow
Registered User
Posts: 1557
Joined: Sun Apr 27, 2003 6:39 pm
Location: Washington
Name: J G
Contact:

Post by End of a Shadow » Tue Jun 14, 2005 7:10 am

thebassman wrote: So if I turn it on, can I just specify which ones I would want to be able to use?


Yep

thebassman
Registered User
Posts: 103
Joined: Fri Mar 26, 2004 2:00 am
Location: Toronto, Ontario, Canada

Post by thebassman » Tue Jun 14, 2005 7:32 am

But there's not a way to just allow admins to use it other than that 30+ minute mod, right?

User avatar
smithy_dll
Former Team Member
Posts: 7630
Joined: Tue Jan 08, 2002 6:27 am
Location: Australia
Name: Lachlan Smith
Contact:

Post by smithy_dll » Tue Jun 14, 2005 8:35 am

not sure if it still applies, but when phpBB 2.0.0 was released allowing <i> also allowed naughty things like <iframe>

I'm 90% sure that the javascript parameters like onClick, etc... are disallowed.

thebassman
Registered User
Posts: 103
Joined: Fri Mar 26, 2004 2:00 am
Location: Toronto, Ontario, Canada

Post by thebassman » Tue Jun 14, 2005 9:19 am

Hmmm... maybe I should just do the mod, then. :evil: Thanks for the advice. :D

Magnotta
Former Team Member
Posts: 1093
Joined: Fri Oct 17, 2003 4:16 am
Location: Ontario

Post by Magnotta » Tue Jun 14, 2005 2:10 pm

tags which could cause problems: <img>, <object>, <script>, <table>(allowing this can easily destroy your boards layout), I think you get the idea. If you really need a specific tag, I'd say add a bbcode for it. As well, when using bbcode, if you look at the pages source, the code outputted will be html, you wont see things like [whatever bbcode]text[/bbcode] in the source, so I dont think any RSS feeds should have a problem with it.

Locked

Return to “2.0.x Discussion”