BBcodes NOT safe?!?!?!?!?!?!

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Scam Warning

BBcodes NOT safe?!?!?!?!?!?!

Postby Praetorian Guard » Mon Feb 01, 2010 8:26 pm

Ok, anyone else know what the problem may be? I usually go between this board and phpbb3codes

http://www.phpbb3bbcodes.com

but when I try to logon on the site I get this:

Board unavailable
Board temporarily closed due to a serious vulnerability in some bbodes. You MUST delete every bbcode you got from here using {TEXT} inside the html tags! We will be back with more info later.



So do I need to disable bbcodes???? Delete them, or what?? I hope that this thread is pertinent. Thanks!
User avatar
Praetorian Guard
Registered User
 
Posts: 789
Joined: Wed Oct 07, 2009 12:42 am

Re: BBcodes NOT safe?!?!?!?!?!?!

Postby Pit$Bull » Mon Feb 01, 2010 8:29 pm

We can't help with anything downloaded from a non phpBB.com site and have no way to advise you.
Pit$Bull
Former Team Member
 
Posts: 23099
Joined: Sat Dec 02, 2006 4:08 pm
Name: Can't Remember

Re: BBcodes NOT safe?!?!?!?!?!?!

Postby Praetorian Guard » Mon Feb 01, 2010 8:33 pm

Pit$Bull wrote:We can't help with anything downloaded from a non phpBB.com site and have no way to advise you.



Not sure I understand. So you are saying that the bbcodes function in phpbb3 (in my case 3.05), ADMIN-> POSTING -> bbcodes is safe, using the terms {TEXT}? Because thats how I understood the warning on the other site. I have a few bbcodes that I made that utilize {TEXT}. What are your thoughts on this? Am I looking at this wrong? Thanks again!
User avatar
Praetorian Guard
Registered User
 
Posts: 789
Joined: Wed Oct 07, 2009 12:42 am

Re: BBcodes NOT safe?!?!?!?!?!?!

Postby Brf » Mon Feb 01, 2010 8:37 pm

Any of the BBCodes which use {TEXT} inside an HTML tag are not safe.
User avatar
Brf
Support Team Member
Support Team Member
 
Posts: 46788
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}

Re: BBcodes NOT safe?!?!?!?!?!?!

Postby stevemaury » Mon Feb 01, 2010 8:38 pm

As the ACP tells you.
{TEXT} Any text, including foreign characters, numbers, etc… You should not use this token in HTML tags. Instead try to use IDENTIFIER or SIMPLETEXT.
For REALLY good and VERY inexpensive hosting CLICK HERE

http://www.stevesstocks.com

All unsolicited PMs will be ignored.
User avatar
stevemaury
Support Team Member
Support Team Member
 
Posts: 44069
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve

Re: BBcodes NOT safe?!?!?!?!?!?!

Postby Praetorian Guard » Mon Feb 01, 2010 8:39 pm

Brf wrote:Any of the BBCodes which use {TEXT} inside an HTML tag are not safe.



Oh, ok. So these would be in MODS, I assume where possible HTML sheets had to be changed? If so, that sucks, because I don't know if any of my mods had this in it...
User avatar
Praetorian Guard
Registered User
 
Posts: 789
Joined: Wed Oct 07, 2009 12:42 am

Re: BBcodes NOT safe?!?!?!?!?!?!

Postby Brf » Mon Feb 01, 2010 8:40 pm

This has nothing to do with mods. These are Custom BBCodes.
User avatar
Brf
Support Team Member
Support Team Member
 
Posts: 46788
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}

Re: BBcodes NOT safe?!?!?!?!?!?!

Postby stevemaury » Mon Feb 01, 2010 8:41 pm

No, not in MODs - in custom BBCodes.
For REALLY good and VERY inexpensive hosting CLICK HERE

http://www.stevesstocks.com

All unsolicited PMs will be ignored.
User avatar
stevemaury
Support Team Member
Support Team Member
 
Posts: 44069
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve

Re: BBcodes NOT safe?!?!?!?!?!?!

Postby Praetorian Guard » Mon Feb 01, 2010 8:42 pm

OK, I'm totally confused now. So if I used {TEXT} and {NUMBER}, etc. in bbcodes for youtube videos, etc. am I at risk? If so, how do I get the bbcodes to work without using "{TEXT}"?? Thanks again for the clarification.
User avatar
Praetorian Guard
Registered User
 
Posts: 789
Joined: Wed Oct 07, 2009 12:42 am

Re: BBcodes NOT safe?!?!?!?!?!?!

Postby Brf » Mon Feb 01, 2010 8:44 pm

If you used {TEXT}, then it is probably at risk, depending on what the HTML replacement looked like.
User avatar
Brf
Support Team Member
Support Team Member
 
Posts: 46788
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}

Re: BBcodes NOT safe?!?!?!?!?!?!

Postby marian0810 » Mon Feb 01, 2010 8:44 pm

Brf wrote:Any of the BBCodes which use {TEXT} inside an HTML tag are not safe.

So between html tags it's allright?
Bring me knitting.
User avatar
marian0810
Moderator Team Member
Moderator Team Member
 
Posts: 2766
Joined: Mon May 21, 2007 9:17 pm
Location: The Netherlands
Name: Marian

Re: BBcodes NOT safe?!?!?!?!?!?!

Postby Brf » Mon Feb 01, 2010 8:48 pm

I dunno. It was Marshalrusty who pointed out the problem. I am sure there are must be some safe applications of {TEXT}, otherwise they would not have included it as a tag.
User avatar
Brf
Support Team Member
Support Team Member
 
Posts: 46788
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}

Re: BBcodes NOT safe?!?!?!?!?!?!

Postby Praetorian Guard » Mon Feb 01, 2010 9:07 pm

Brf wrote:I dunno. It was Marshalrusty who pointed out the problem. I am sure there are must be some safe applications of {TEXT}, otherwise they would not have included it as a tag.



Thats what I was also wondering. I double checked my usage of "{TEXT}" in my bbcodes and they do not appear WITHIN the HTML tag itself, just contained BETWEEN the HTML tag. Hopefully some others can comment on it. I'm with you though, why allow the {TEXT} tag if its dangerous... has to be sed for something... thanks again!
User avatar
Praetorian Guard
Registered User
 
Posts: 789
Joined: Wed Oct 07, 2009 12:42 am

Re: BBcodes NOT safe?!?!?!?!?!?!

Postby smartcooky » Mon Feb 01, 2010 9:13 pm

Just about every common use of {TEXT} is between html tags. e.g.

<marquee>{TEXT}</marquee>

In which case, there will be MANY MILLIONS of unsafe BBCodes out there, so I have to ask, when they say "You MUST delete every bbcode you got from here using {TEXT} inside the html tags!", do they mean

<HTML>{TEXT}</HTML>

or

<HTML{TEXT}>{TOKEN}</HTML>
smartcooky
Registered User
 
Posts: 15
Joined: Thu Nov 01, 2007 9:15 am

Re: BBcodes NOT safe?!?!?!?!?!?!

Postby Brf » Mon Feb 01, 2010 9:22 pm

Well.... Suppose you made a tag to allow the user to change the font of his text.

Code: Select all
[myfont={TEXT1}]{TEXT2}[/myfont]

Replacement:
Code: Select all
<span style="font: {TEXT1}">{TEXT2}</span>



Then I use it like this:

Code: Select all
[myfont=Courier" onclick="window.open('http://www.example.com');" style="color:red;]xxxxx[/myfont]


The result would be
Code: Select all
<span style="font: Courier" onclick="window.open('http://www.example.com');" style="color:red;">xxxxx</span>
User avatar
Brf
Support Team Member
Support Team Member
 
Posts: 46788
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}

Next

Return to 3.0.x Support Forum

Who is online

Users browsing this forum: BA172, manzoor, tomb922, Yandex [Bot] and 57 guests