Question about HTML and security

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
Locked
ferrethouse2004
Registered User
Posts: 80
Joined: Mon Oct 04, 2004 2:28 am

Question about HTML and security

Post by ferrethouse2004 »

I implemented a mod to allow youtube videos but it didn't work. So I've enabled HTML on my forums and added embed, param, object as allowed tags. Is this a bad move?
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: Question about HTML and security

Post by Techie-Micheal »

ferrethouse2004 wrote: I implemented a mod to allow youtube videos but it didn't work. So I've enabled HTML on my forums and added embed, param, object as allowed tags. Is this a bad move?
Unfortunately yes. Potential XSS (though the phpBB parsing engine tries its best to prevent that), and various other problems can arise.
Proven Offensive Security Expertise. OSCP - GXPN
User avatar
comperr
Registered User
Posts: 581
Joined: Mon May 08, 2006 2:35 am

Post by comperr »

Also, I can embed certain things that would mess up your forum...I won't, but I can
Locked

Return to “2.0.x Discussion”