enabling HTML in phpbb3?

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Get Involved
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
nekkidblogger
Registered User
Posts: 5
Joined: Mon Jul 18, 2011 5:49 pm

Re: enabling HTML in phpbb3?

Post by nekkidblogger » Tue Jul 19, 2011 2:11 am

I can see that allowing users to post html may be a risk. However, allowing admins to do it should be ok and should actually be included as an option.

After all, I can change the code in any of the files on my server? And I can't use a div in a post I make or include an amazon ad in an iframe? C'mon!! That smells of "Big Brother"-mentality! Really.

I run a dozen blogs using WordPress, and I use HTML in the posts every day. I really can't see it being more of a risk in phpBB than in WordPress?!?

Besides, it's the wrong philosophy! It should be: The software is wrong, the user is right. And not "No guys, we willl not allow you to do that. That's not how we like to use our software."

So get it back in, is my advice!

relicanth
Registered User
Posts: 7
Joined: Fri Dec 29, 2006 4:22 pm
Location: Rimini - Italy

Re: enabling HTML in phpbb3?

Post by relicanth » Thu Sep 15, 2011 6:21 pm

I can see that allowing users to post html may be a risk. However, allowing admins to do it should be ok and should actually be included as an option.

After all, I can change the code in any of the files on my server? And I can't use a div in a post I make or include an amazon ad in an iframe? C'mon!! That smells of "Big Brother"-mentality! Really.

I run a dozen blogs using WordPress, and I use HTML in the posts every day. I really can't see it being more of a risk in phpBB than in WordPress?!?

Indeed mates... this is a big lack in phpbb.
I'm the admin ffs, you can't deny me to use html in posts! That's ridiculous...

and that's why you have been owned by wordpress, with wordpress with a simple plugin I can use a
[php] include("anypage.php"); [/php]
with any php code such as mysql queries



and for what? to protect users form being scammed by admins?
lol, if I would scam my user I would just add a
@mysql_query("insert into scamtable (user,pass) values ($_POST['user'], $_POST['pass'])");
in the login page and get all their passwords...

User avatar
Mick
Support Team Member
Support Team Member
Posts: 21148
Joined: Fri Aug 29, 2008 9:49 am
Location: Watching cricket - definitely

Re: enabling HTML in phpbb3?

Post by Mick » Thu Sep 15, 2011 6:28 pm

You won't find help here how to circumvent phpBB security measures whether you think it's right or wrong.
"The more connected we get the more alone we become" - Kyle Broflovski

User avatar
Erik Frèrejean
Former Team Member
Posts: 9899
Joined: Tue Oct 09, 2007 9:09 am
Location: The Netherlands, 3.0.x Support Forum
Name: Erik Frèrejean
Contact:

Re: enabling HTML in phpbb3?

Post by Erik Frèrejean » Thu Sep 15, 2011 9:28 pm

relicanth wrote:Indeed mates... this is a big lack in phpbb.
I'm the admin ffs, you can't deny me to use html in posts! That's ridiculous...
what happens if you quote a post that contains mallicious code that will be parsed because you as administrator post it?
Support Toolkit | Support Request Template | Knowledge Base | phpBB 3.0.x documentation
I don't give support via PM or IM! (all unsolicited pms will be trashed!)

User avatar
Pimlico Flats
Registered User
Posts: 28
Joined: Fri Apr 09, 2010 11:09 pm

Re: enabling HTML in phpbb3?

Post by Pimlico Flats » Sat Nov 26, 2011 10:33 am

Mick wrote:You won't find help here how to circumvent phpBB security measures whether you think it's right or wrong.
With the greatest respect that smacks of "mother knows best". The demand for HTML is because the likes of Ning are beginning to make phpBB look quaint and outdated. I want to wordwrap pictures, or put them on the right of a post, or resize them. There will be something else tomorrow. Will the world really end if a few trusted posters can do this?

User avatar
DarkBeing
Registered User
Posts: 125
Joined: Wed Mar 28, 2007 5:31 pm
Location: atm Estonia
Name: Sven

Re: enabling HTML in phpbb3?

Post by DarkBeing » Sat Nov 26, 2011 11:27 am

Yes!

marian0810
Former Team Member
Posts: 3011
Joined: Mon May 21, 2007 9:17 pm
Location: The Netherlands
Name: Marian
Contact:

Re: enabling HTML in phpbb3?

Post by marian0810 » Sat Nov 26, 2011 12:36 pm

Pimlico Flats wrote:I want to wordwrap pictures, or put them on the right of a post, or resize them.
All of that is perfectly possible with a few custom bbcodes.
You and me, time and space. You watch us run!

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: enabling HTML in phpbb3?

Post by Techie-Micheal » Sat Nov 26, 2011 7:18 pm

This isn't to protect users from getting "scammed by admins."

Like kinkoa, I'm a professional hacker. I spend day in and day out breaking web apps. Still today, one of the biggest problems I find is something called XSS, or Cross-Site Scripting. This is the ability for an attacker, me, to execute JavaScript, VBScript, Flash, etc. and have it do what I say.

I've found XSS that allowed me to get an admin (on a product that's not phpBB) to add code execution, without their knowledge. With XSS, I was able to take control of the server. Other XSS I've done is cookie stealers and keyloggers

So why isn't this being "scammed by admins?" I find that examples help best. Let's say I added the following post to your board, where you allowed HTML:

Code: Select all

Hey,

I've got a question about this camera I'm considering getting. Can you tell me what you think? <img/
src="http://images.example.com/newcamera.gif"
/**/onerror="&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;&#x3b;">
What would happen if you, the admin, quoted that post? XSS. :) And I don't have to be that obvious about it. I can obfuscate and hide it any way I please.

What about WordPress, you say? WP allows HTML, sure. They allow only certain tags. But they still manage to get XSS.

A sampling of various times and versions of WordPress:

http://www.webdesignbooth.com/wordpress ... -about-it/
http://www.sneaked.net/persistent-xss-v ... 03-ksesphp
https://nealpoole.com/blog/2011/04/file ... wordpress/

WP may be okay today, but a release tomorrow could change that. Do you really want that risk?
Proven Offensive Security Expertise. OSCP - GXPN

boolee
Registered User
Posts: 10
Joined: Wed Mar 13, 2013 12:19 pm

Re: enabling HTML in phpbb3?

Post by boolee » Sat Mar 16, 2013 5:20 pm

Please help. i need html in phbb3 post but only for me. I want to put something like this in the beginning of this forum. with the picture on the left and share button for social media on right side.
I tried the mod Shere but on my artodia: deluxe theme buttons are not visible. how to embed html in my posts as an administrator.

http://prntscr.com/wkb9i

User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 50506
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: enabling HTML in phpbb3?

Post by stevemaury » Sat Mar 16, 2013 6:18 pm

All that can be done without html. Please post a new topic asking how to do what you want.
For REALLY good and VERY inexpensive hosting CLICK HERE

I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)

Grassman
Registered User
Posts: 56
Joined: Thu May 12, 2011 7:03 am

Re: enabling HTML in phpbb3?

Post by Grassman » Sat Mar 16, 2013 7:47 pm

I read the first page of this post, and skipped most of the rest. Enabling HTML in phpbb or any POST data would be a disaster. The equivalent would be for you to put 10,000$ USD in small bills in your mailbox and run around and tell everyone that the cash is there, you will not be home for a month and ask everyone not to steal it even though they will get away with it. What do you think will happen?

The BB interface will change anything you want from html to the safe BB codes and is pretty simple to do. you can even define the tags. I noticed you mentioned youtube embed. Very easy to do with BB code and there is no risk to your own board or other websites (on a shared hosting plan)

If you enabled html (which you cannot on phpbb anyway) within a few days your website would not exist. It is that simple. No point in trying to justify it. Consider your website *poof*

Anyway, sorry for the rant, I just saw the OP try to defend their stance on it. It is not the end user you need to worry about, it is the scripts and spiders that nail phpbb boards on a daily basis. I am sure they still check for non sanitized forms. BOOM goes the website.

Please follow the moderators suggestion and create a topic for whatever help you need with BB creation. The support here is fantastic.

User avatar
Oyabun1
Former Team Member
Posts: 23162
Joined: Sun May 17, 2009 1:05 pm
Location: Australia
Name: Bill

Re: enabling HTML in phpbb3?

Post by Oyabun1 » Sat Mar 16, 2013 10:00 pm

Grassman wrote:Anyway, sorry for the rant, I just saw the OP try to defend their stance on it.
The OP only made one post, and besides that was 5 years ago, hardly worth commenting on now.
                      Support Request Template
3.0.x: Knowledge Base Styles Support MOD Requests
3.1.x: Knowledge BaseStyles SupportExtension Requests

penwrite
Registered User
Posts: 7
Joined: Thu Jun 25, 2015 12:03 pm

Re: enabling HTML in phpbb3?

Post by penwrite » Mon Nov 23, 2015 2:07 pm

I understand the risk but I want to use HTML as Admin. Only and I dont know how to go about it. Can someone help me on how to use HTML on my forum where permission is READ ONLY ACCESS?

penwrite
Registered User
Posts: 7
Joined: Thu Jun 25, 2015 12:03 pm

Re: enabling HTML in phpbb3?

Post by penwrite » Mon Nov 23, 2015 2:07 pm

I understand the risk but I want to use HTML as Admin. Only and I dont know how to go about it. Can someone help me on how to use HTML on my forum where permission is READ ONLY ACCESS?

User avatar
Lumpy Burgertushie
Registered User
Posts: 66331
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: enabling HTML in phpbb3?

Post by Lumpy Burgertushie » Mon Nov 23, 2015 4:27 pm

you are not going to find much help here for bypassing the security of the software.


I can't think of a single case that would require you to need html in a post.

anything html that you can't do with a bbcode needs to be done on a separate page and just link to it from a post etc.

luck,
robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

If a tree falls in the forest and nobody is there, does it make a sound?

Locked

Return to “[3.0.x] Support Forum”