BBcodes NOT safe?!?!?!?!?!?!

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Scam Warning
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
User avatar
RMcGirr83
Former Team Member
Posts: 22016
Joined: Wed Jun 22, 2005 4:33 pm
Location: Your display
Name: Rich McGirr

Re: BBcodes NOT safe?!?!?!?!?!?!

Post by RMcGirr83 »

The feature wasn't designed with the expectation that people are going to copy->paste stuff from other websites without reading the descriptions
Then what is the purpose of this topic?

There are many, many, many custom bbcode snipets in that topic that have the {TEXT} token within html tags. I even started a topic in the QA forums concerning this but I guess it isn't that big of a deal because out of 17 views there hasn't been one response. Maybe not the most correct forum to place the topic in....
Former Modifications/Extensions Team Member | My extensions | github | All requests for support via PM will be ignored
Appreciate the extensions/mods/support then buy me a beer Image
User avatar
Marshalrusty
Project Manager
Project Manager
Posts: 29334
Joined: Mon Nov 22, 2004 10:45 pm
Location: New York City
Name: Yuriy Rusko
Contact:

Re: BBcodes NOT safe?!?!?!?!?!?!

Post by Marshalrusty »

RMcGirr83 wrote:
The feature wasn't designed with the expectation that people are going to copy->paste stuff from other websites without reading the descriptions
Then what is the purpose of this topic?

There are many, many, many custom bbcode snipets in that topic that have the {TEXT} token within html tags. I even started a topic in the QA forums concerning this but I guess it isn't that big of a deal because out of 17 views there hasn't been one response. Maybe not the most correct forum to place the topic in....
I'm not saying that I expect every board administrator to understand the BBCode system front to back, but they should still be aware of what is being added (and at least have read the description). I do, however, expect those who provide the BBCodes to know what they are doing and not provide obviously vulnerable ones. I mean, you did have an entire site dedicated to the thing, right?

That topic needs to be replaced as well.
🇺🇦 Made in Ukraine, exported to the USA 🇺🇸

Have comments/praise/complaints/suggestions? Please feel free to PM me.

Need private help? Hire me for all your phpBB and web development needs
User avatar
RMcGirr83
Former Team Member
Posts: 22016
Joined: Wed Jun 22, 2005 4:33 pm
Location: Your display
Name: Rich McGirr

Re: BBcodes NOT safe?!?!?!?!?!?!

Post by RMcGirr83 »

MarshalRusty wrote:I mean, you did have an entire site dedicated to the thing, right?
Not my site...just helping where/when I can.

Truth be told, I was unaware (shame on me) of what token actually did what. After looking at the code, I now know...sorta, kinda. ;)

The regex code for custom bbcode tokens (includes/acp/acp_bbcode.php)

Code: Select all

		$sp_tokens = array(
			'URL'	 => '(?i)((?:' . str_replace(array('!', '\#'), array('\!', '#'), get_preg_expression('url')) . ')|(?:' . str_replace(array('!', '\#'), array('\!', '#'), get_preg_expression('www_url')) . '))(?-i)',
			'LOCAL_URL'	 => '(?i)(' . str_replace(array('!', '\#'), array('\!', '#'), get_preg_expression('relative_url')) . ')(?-i)',
			'EMAIL' => '(' . get_preg_expression('email') . ')',
			'TEXT' => '(.*?)',
			'SIMPLETEXT' => '([a-zA-Z0-9-+.,_ ]+)',
			'IDENTIFIER' => '([a-zA-Z0-9-_]+)',
			'COLOR' => '([a-zA-Z]+|#[0-9abcdefABCDEF]+)',
			'NUMBER' => '([0-9]+)',
		);
notice {TEXT}, it passes anything and everything but I'm sure you knew that already. ;)
Former Modifications/Extensions Team Member | My extensions | github | All requests for support via PM will be ignored
Appreciate the extensions/mods/support then buy me a beer Image
stokerpiller
Registered User
Posts: 1934
Joined: Wed Feb 28, 2007 8:06 pm

Re: BBcodes NOT safe?!?!?!?!?!?!

Post by stokerpiller »

A lot of people didn't know this.
Including several phpbb.com Team Members.

The thing is that not using {TEXT} would mean a lot for foreign languages using speciel characters.
I am done with phpBB
Pony99CA
Registered User
Posts: 4783
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve
Contact:

Re: BBcodes NOT safe?!?!?!?!?!?!

Post by Pony99CA »

Erik Frèrejean wrote:
Pony99CA wrote:While {TEXT} probably shouldn't be used in attributes of HTML tags, I thought it was OK (and even necessary) for some BBCodes. For example, here's my Strikethrough BBCode:

BBCode usage

Code: Select all

[s]{TEXT}[/s]
HTML replacement

Code: Select all

<s>{TEXT}</s>
I've tried putting HTML in between the S tags and it is not rendered.

Is that really unsafe? If so, wouldn't the standard B, I and U BBCodes also be unsafe?
There is no danger here as the {TEXT} is outside the tags. Its between the tags, so the text is rendered as defined by the tags.

Code: Select all

<s someattribute="{TEXT1}">{TEXT2}</s>
would be an issue. In this case use:

Code: Select all

<s someattribute="{SIMPLETEXT}">{TEXT}</s>
(Notice the difference)
I understand the difference. However, here's what the ACP says:
You should not use this token in HTML tags.
I think that "in", combined with the plural "tags", is ambiguous.

Code: Select all

<tag>{TEXT}</tag>
I think most English speakers would say that {TEXT} is both in and between HTML tags, but it is not in an HTML tag. It may just be semantics, but I think the use in the ACP is confusing.

If you accept that "between" and "in" have some overlap, the help line in the ACP should really be changed. I would say either
You should not use this token within an HTML tag.
or, more precisely,
You should not use this token within or as an HTML attribute.
If somebody doesn't know what an HTML attribute is, they probably shouldn't be writing BBCodes. ;)

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.
User avatar
beggers
Registered User
Posts: 1257
Joined: Fri Nov 23, 2001 8:19 pm
Location: Las Vegas
Contact:

Re: BBcodes NOT safe?!?!?!?!?!?!

Post by beggers »

Marshalrusty wrote:The feature wasn't designed with the expectation that people are going to copy->paste stuff from other websites without reading the descriptions.
Unfortunately, cut & pasting is exactly what most people do. Right now there is a vulnerability in standard phpbb feature that needs to be addressed in some official way.
User avatar
tbackoff
Former Team Member
Posts: 7068
Joined: Thu Jun 04, 2009 1:41 am
Location: cheerleading practice
Name: Tabitha Backoff

Re: BBcodes NOT safe?!?!?!?!?!?!

Post by tbackoff »

You should not use this token within or as an HTML attribute.
I like this sentence. It leaves (almost) no room for being mistaken.
Flying is the second best thrill to cheerleaders; being caught is the first.
User avatar
Marshalrusty
Project Manager
Project Manager
Posts: 29334
Joined: Mon Nov 22, 2004 10:45 pm
Location: New York City
Name: Yuriy Rusko
Contact:

Re: BBcodes NOT safe?!?!?!?!?!?!

Post by Marshalrusty »

beggers wrote:Unfortunately, cut & pasting is exactly what most people do. Right now there is a vulnerability in standard phpbb feature that needs to be addressed in some official way.
While we are indeed examining various ways of addressing this, it is no more a vulnerability than the <--PHP--> template switch (since that can be used to add vulnerable code). There are many things that an administrator can do to make their board less secure.
🇺🇦 Made in Ukraine, exported to the USA 🇺🇸

Have comments/praise/complaints/suggestions? Please feel free to PM me.

Need private help? Hire me for all your phpBB and web development needs
marian0810
Former Team Member
Posts: 3011
Joined: Mon May 21, 2007 9:17 pm
Location: The Netherlands
Name: Marian
Contact:

Re: BBcodes NOT safe?!?!?!?!?!?!

Post by marian0810 »

Pony99CA wrote:I understand the difference. However, here's what the ACP says:
You should not use this token in HTML tags.
I think that "in", combined with the plural "tags", is ambiguous.
It's actually a lot clearer than the Dutch translation I'm using :? Not that I blame that, because I didn't even know that text was there. I have a widescreen monitor and it never occurred to me that there might be something worth scrolling all the way down for. A warning that important should really be at the top of the page.
You and me, time and space. You watch us run!
Pony99CA
Registered User
Posts: 4783
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve
Contact:

Re: BBcodes NOT safe?!?!?!?!?!?!

Post by Pony99CA »

marian0810 wrote:I have a widescreen monitor and it never occurred to me that there might be something worth scrolling all the way down for. A warning that important should really be at the top of the page.
Agreed. There should be an intrapage link to the token list just below the following text:
BBCode is a special implementation of HTML offering greater control over what and how something is displayed. From this page you can add, remove and edit custom BBCodes.
I suggest something like "Please see the token list below for the tokens available and important usage information."

It's obvious that people have been missing that list, so that should make them aware of it.

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.
Locked

Return to “[3.0.x] Support Forum”