Custom BBCodes [Deprecated]

Get help developing custom BBCodes or request one.
User avatar
Noxwizard
Support Team Leader
Support Team Leader
Posts: 10348
Joined: Mon Jun 27, 2005 8:41 pm
Location: Texas, USA
Name: Patrick Webster
Contact:

Re: Custom BBCodes

Post by Noxwizard » Sun Jul 25, 2010 10:33 pm

You may have noticed that we try to remove or update vulnerable bbcodes as we see them. We are not in the habit of posting exploitable code, much less posting a means to exploit other boards; which is what you're wanting posted.

As for the bbcode you posted, having that TEXT field there is bad enough, having it in a style attribute is even worse.

If you're really wanting to know, then the only thing I can suggest for you is to do some research on it. Sites like OWASP and CGISecurity would be a good place to start.

If you want basic guidelines beyond what the legend says, then here are a few off the top of my head:
  • Don't use TEXT inside of HTML tags
  • Don't pass a URL straight into an iframe, object, embed, etc...
  • If you need the above, restrict the URL to a specific site and use the remaining tokens. For the latter two, be sure to set the parameters appropriately.
[Support Template] - [Read Before Posting] - [phpBB Knowledge Base]
Do not contact me for private support, please share the question in our forums.

therp
Registered User
Posts: 55
Joined: Sun Jul 19, 2009 7:37 pm

Re: Custom BBCodes

Post by therp » Mon Jul 26, 2010 1:59 am

Hi. This is a very useful thread. 189 pages makes it hard to follow though :lol:

I'm not sure if that was addressed, or if it's doable, but Is there a BBCode to display a certain text? For example, is there a BBcode to make a button that when clicked would display a pre-set phrase, like "hello all" for example?

Thanks a lot.

User avatar
tbackoff
Former Team Member
Posts: 7022
Joined: Thu Jun 04, 2009 1:41 am
Location: cheerleading practice
Name: Tabitha Backoff

Re: Custom BBCodes

Post by tbackoff » Mon Jul 26, 2010 3:05 am

BBCode usage:

Code: Select all

[phrase][/phrase]
HTML Replacement:

Code: Select all

<span>Hello World</span>
Replace "Hello World" with your text.
Flying is the second best thrill to cheerleaders; being caught is the first.

therp
Registered User
Posts: 55
Joined: Sun Jul 19, 2009 7:37 pm

Re: Custom BBCodes

Post by therp » Mon Jul 26, 2010 7:27 am

t_backoff wrote:BBCode usage:

Code: Select all

[phrase][/phrase]
HTML Replacement:

Code: Select all

<span>Hello World</span>
Replace "Hello World" with your text.
Thanks a lot t_backoff. This works nicely. I just have a couple of questions though. Is there a way to display an image on the button instead of showing "Phrase"? The second would be, when pressed during editing time, this bbcode shows as [phrase][/phrase], which might get ppl wondering what they should put in between. Is there a way to get the code to show only one, or maybe put the "Hello world" on the spot in the editor?

Again, thanks a lot for your support.

User avatar
ric323
Former Team Member
Posts: 22909
Joined: Tue Feb 06, 2007 12:33 am
Location: Melbourne, Australia
Name: Ric
Contact:

Re: Custom BBCodes

Post by ric323 » Mon Jul 26, 2010 8:43 am

therp wrote: Is there a way to display an image on the button instead of showing "Phrase"?
Yes, you just need to add appropriate HTML to display an image.
The second would be, when pressed during editing time, this bbcode shows as [phrase][/phrase], which might get ppl wondering what they should put in between. Is there a way to get the code to show only one, or maybe put the "Hello world" on the spot in the editor?
No. That is how bbcodes work

Rather than asking for bits and pieces, why don't you actually explain what you are trying to do?
The Knowledge Base contains solutions to many common problems!
How to fix "Doesn't have a default value" and "Incorrect string value: xxx for column 'post_text' " errors.
How to do a clean re-install of the latest phpBB3 version.
Problems with permissions? Read phpBB3 Permissions

User avatar
AmigoJack
Registered User
Posts: 5659
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Custom BBCodes

Post by AmigoJack » Mon Jul 26, 2010 9:48 am

Pony99CA wrote:if something like:

Code: Select all

[b]{TEXT}[/b]
properly handles attempts between start and end tags to include HTML in the {TEXT}, why wouldn't it properly handle similar things inside an HTML tag or attribute?
Because it's a difference if we have to deal with a random text inside of a HTML-tag

Code: Select all

<a href="javascript:alert('hi');">foo</a>
or with a random text outside of the HTML-tag (which is the tag's value/content)

Code: Select all

<a href="#">javascript:alert('hi');</a>

The warning is not theoretically, since it simply does not know if there might be a user lame enough considering a BBcode replacement like

Code: Select all

<a onmouseover="{TEXT1}">{TEXT2}</a>
because this would definitly allow execution of (at least) javascript.
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

updown
Registered User
Posts: 542
Joined: Sat Jan 05, 2008 6:53 am

Re: Custom BBCodes

Post by updown » Mon Jul 26, 2010 10:10 am

Noxwizard wrote:If you're really wanting to know, then the only thing I can suggest for you is to do some research on it. Sites like OWASP and CGISecurity would be a good place to start.
Thanks! I understand your general position and the security-policy of phpBB.com. The problem is, that I HAVE TO use {TEXT} inside BBCode-Tags - there is no way around. Also, I have to use direct URLs with iframe etc, as you have pointed out. All my research came to known XSS-Entries referenced to http://ha.ckers.org/xss.html - which are all NOT possible within the phpBB-environment with {TEXT} or {URL}. Either with encryption or other encoding tricks I've read about.

Now I am a sitting duck. I MUST use these "insecure" BBCodes, with no idea WHERE the risk is. I have no possibilities to filter input individually when I get no advice what to look for.

So again, PLEASE, give me advice WHERE the problem is here :?
AmigoJack wrote:The warning is not theoretically, since it simply does not know if there might be a user lame enough considering a BBcode replacement like

Code: Select all

<a onmouseover="{TEXT1}">{TEXT2}</a>
because this would definitly allow execution of (at least) javascript.
That is clear - I totally agree that this case IS a problem. But I can't see any problem here, although it is pointed out from the supporters that this IS a problem:

Code: Select all

<a href="http://myurlxxxx.com/index.php?q={TEXT}">...</a>

Pony99CA
Registered User
Posts: 4783
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve
Contact:

Re: Custom BBCodes

Post by Pony99CA » Tue Jul 27, 2010 10:24 am

AmigoJack wrote:
Pony99CA wrote:if something like:

Code: Select all

[b]{TEXT}[/b]
properly handles attempts between start and end tags to include HTML in the {TEXT}, why wouldn't it properly handle similar things inside an HTML tag or attribute?
Because it's a difference if we have to deal with a random text inside of a HTML-tag

Code: Select all

<a href="javascript:alert('hi');">foo</a>
or with a random text outside of the HTML-tag (which is the tag's value/content)

Code: Select all

<a href="#">javascript:alert('hi');</a>
Yes, I know that the parsing is different, but it's not "random" text. The text contains "javascript:" in it. Why can't phpBB call a "sanitize" function on {TEXT} used inside HTML tags? Is sanitizing a string that difficult? It's done to prevent SQL injection and HTML injection in phpBB already.

Alternatively, if you want to allow that, require specifying a group that is allowed to use custom BBCodes. Most BBCodes could be used by Registered Users, but maybe some would only be available to Administrators.
AmigoJack wrote:The warning is not theoretically, since it simply does not know if there might be a user lame enough considering a BBcode replacement like

Code: Select all

<a onmouseover="{TEXT1}">{TEXT2}</a>

because this would definitly allow execution of (at least) javascript.
That's true. I've written an XSS demonstration post at my site (it doesn't really allow XSS; it just shows how it could be done).

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.

spacemonkiee
Registered User
Posts: 1
Joined: Tue Jul 27, 2010 6:01 pm

Re: Custom BBCodes

Post by spacemonkiee » Tue Jul 27, 2010 6:07 pm

Does anyone know the BBCode to embed a video clip from http://video.msn.com? I've searched the thread but haven't been able to find anything that can help.

Its for the clip: http://video.msn.com/?mkt=en-US&from=sp ... b450462d2f

If that helps.

updown
Registered User
Posts: 542
Joined: Sat Jan 05, 2008 6:53 am

Re: Custom BBCodes

Post by updown » Tue Jul 27, 2010 7:31 pm

Pony99CA wrote:Why can't phpBB call a "sanitize" function on {TEXT} used inside HTML tags? Is sanitizing a string that difficult? It's done to prevent SQL injection and HTML injection in phpBB already.
I understand that XSS is not ever that simple as in these examples. There are a lot of known and still unknown vectors for breaking-up tags or injecting code otherwise, so an "ultimate" function for sanitizing code is never as good as a total warning (concerning different browser-types also complicates this).

BUT: There should be some support to help skilled admins for writing their own routines if they know what they do. The actual (dis-)information in the name of security is crap. BBCode has been invented to allow secure inputs on userside. Many BBCodes can't be used without {TEXT}, but we are told to limit this down. WHY? Because we are told to do so. What can we do about in special cases? Nothing or ignoring. Can we ignore it without knowing where the risk is? Not a good idea. Does anybody tell us where the risk is? No. Come on guys, you call this "support"? Either tell us straight what we can do alternatively, or make BBCode practical as it is meant to be. This general "You just have to believe us, since we don't give you information about possible leaks, it could be used to inject code"-policy is so totally absurd and irresponsible. I really feel pissed by this bunch of ignorance :evil:

User avatar
AmigoJack
Registered User
Posts: 5659
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Custom BBCodes

Post by AmigoJack » Tue Jul 27, 2010 7:56 pm

updown wrote:[...] to help skilled admins for writing their own routines if they know what they do [...]
So where's the problem? I would code my own token and run its text through a regexp pattern. Done. Or is extending phpBB beyond "skilled admins" already?

You also explained it by yourself: you cannot think of any possible intrusion. This blacklist-thinking only helps you against known holes. Strictly spoken you don't even need to know any example exploit. Think whitelist. Only allow what you know.

Showing an exploit here helps ...I might say... a handful of people. Because they're able to comprehend and write code against this. The majority of people only use phpBB (even without understanding the very basics sometimes - see the questions being opened here every day). An uncountable amount of guests sees the exploit and copies it to use it for their own advantage.

I'd publish an exploit, since I tend to say "if people don't care about the details while using something it's their own fault (aka knowledge is power)". But this is only my point of view. If the phpBB support team does not want to publish any explicit example it's their decision.
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

updown
Registered User
Posts: 542
Joined: Sat Jan 05, 2008 6:53 am

Re: Custom BBCodes

Post by updown » Tue Jul 27, 2010 8:48 pm

AmigoJack wrote:
updown wrote:[...] to help skilled admins for writing their own routines if they know what they do [...]
So where's the problem? I would code my own token and run its text through a regexp pattern. Done. Or is extending phpBB beyond "skilled admins" already?
Of course, my boards are heavily modded with more than 200 homebrewn changes (+150 personally extended MODs and extensions not counted), tunings and optimizations, I know phpBB like my jacket and I'm aware of nearly every function and its purpose. But I am no XSS or CSRF specialist, here I need support. To run a regex is simple, but you have to know what expression to look for!

Summary: ALL possible XSS-entries that I've found DO NOT WORK within phpBB on constructions like

Code: Select all

<a href="http://myurl.com/index.php?q={TEXT}">...</a>
but some supporters keep telling me that there IS a possible injection point in SUCH A SPECIAL construction (without giving proof, of course). So here I stand begging for more information about that, or call them supporters of smattering!

edit:
I'd publish an exploit, since I tend to say "if people don't care about the details while using something it's their own fault (aka knowledge is power)". But this is only my point of view. If the phpBB support team does not want to publish any explicit example it's their decision.
Feel free to send me a PM if you or someone else found out!

Spectral
Registered User
Posts: 28
Joined: Wed Jul 07, 2010 12:33 pm

Re: Custom BBCodes

Post by Spectral » Fri Jul 30, 2010 10:00 pm

anyone has videoweed bbcode ?

User avatar
ric323
Former Team Member
Posts: 22909
Joined: Tue Feb 06, 2007 12:33 am
Location: Melbourne, Australia
Name: Ric
Contact:

Re: Custom BBCodes

Post by ric323 » Fri Jul 30, 2010 10:11 pm

Spectral wrote:anyone has videoweed bbcode ?
You'd get a much quicker response if you did a little legwork yourself.
What exactly is "videoweed"?
Do you have some suggested code to embed one on a web page?
or a link to a page showing one?
The Knowledge Base contains solutions to many common problems!
How to fix "Doesn't have a default value" and "Incorrect string value: xxx for column 'post_text' " errors.
How to do a clean re-install of the latest phpBB3 version.
Problems with permissions? Read phpBB3 Permissions

Spectral
Registered User
Posts: 28
Joined: Wed Jul 07, 2010 12:33 pm

Re: Custom BBCodes

Post by Spectral » Fri Jul 30, 2010 10:22 pm

http://www.videoweed.com/file/n82cy3l8rxrau

Code: Select all

<iframe width='600' height='480' frameborder='0' src='http://embed.videoweed.com/embed.php?v=n82cy3l8rxrau&width=600&height=480' scrolling='no'></iframe>

Code: Select all

[VideoWeed]id[/VideoWeed]
that may help i hope..

Locked

Return to “Custom BBCode Development and Requests”