Handling User-Uploaded HTML5 Content (Replacing Flash)

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Anti-Spam Guide
Post Reply
Haravikk
Registered User
Posts: 261
Joined: Sat Nov 02, 2002 4:42 pm

Handling User-Uploaded HTML5 Content (Replacing Flash)

Post by Haravikk »

So I currently have a message board which has a lot of uploaded Flash files, but with Flash generally on the decline I'm looking towards the replacements that are available.

The big advantage of Flash for a message board is that it's a single self-contained file that can easily be embedded or downloaded as preferred.

However, the main replacement going forward seems likely to be HTML5 bundles of some kind, with an HTML page (or pages), Javascript, plus images and other resources, and I'm at a bit of a loss as to how I should handle these.

Of course I can just accept .zip and other compressed formats, but these only work for users to download and run locally, whereas I'd like to retain the ability to embed content, and do-so in a secure manner.


I guess I'm wondering if anyone has found another way to handle it? I could expand the uploaded archive into a folder, but this seems like it will require a sub-domain (which I already have, and I'm investigating per-user sub-domains as well) to add restrictions (e.g- no PHP support enabled), but may also require sanitising Javascript, for example to ensure cookies are limited to the sub-domain they're available on, remove eval (which I have been conditioned to read as "evil" anyway).

Seems like whatever I do it's probably not going to be straightforward! :D
User avatar
Arty
Former Team Member
Posts: 16654
Joined: Wed Mar 06, 2002 2:36 pm
Name: Vjacheslav Trushkin
Contact:

Re: Handling User-Uploaded HTML5 Content (Replacing Flash)

Post by Arty »

HTML5 by itself doesn't add much. Its just a bunch of new tags. To replace Flash stuff you need combination of modern HTML, CSS and JavaScript.

Inserting HTML could potentially be dangerous, so its not a good idea. However neither is using Flash, which because of massive amounts of security issues that can affect your operating system, is far more dangerous.

Inserting CSS could also be potentially dangerous, but it can't be used for much more than harmless pranks. So allowing it is somewhat ok if you trust your users.

Allowing to insert JavaScript is very dangerous. It could be used to steal sessions, log login details, create posts on your behalf and other nasty stuff.

So basically its not a good idea. But neither is allowing Flash.
Vjacheslav Trushkin / Arty.
Free phpBB 3.1 styles | New project: Iconify - modern SVG framework
Haravikk
Registered User
Posts: 261
Joined: Sat Nov 02, 2002 4:42 pm

Re: Handling User-Uploaded HTML5 Content (Replacing Flash)

Post by Haravikk »

Arty wrote:its not a good idea. However neither is using Flash, which because of massive amounts of security issues that can affect your operating system, is far more dangerous.
That's only an issue for people viewing the Flash files; my forum moderates uploaded Flash files and I have ClamAV scanning uploaded files for known exploits at least. The site itself is never in any danger, as the files are just data otherwise.

For making simple, portable games and animations though there's not really any alternative, and since that's what the forum is about… don't exactly have a choice ;)
Arty wrote:Inserting CSS could also be potentially dangerous, but it can't be used for much more than harmless pranks. So allowing it is somewhat ok if you trust your users.
Can it do much outside of an iframe? I was thinking of hosting the CSS/Javascript/HTML on a different sub-domain and using an iframe to embed it, this should limit a lot of the potential for abuse, plus a sub-domain lets me set different rules for nginx (so if a user tried to upload a PHP file as part of the bundle, it wouldn't be executable).
Arty wrote:Allowing to insert JavaScript is very dangerous. It could be used to steal sessions, log login details, create posts on your behalf and other nasty stuff.
This is my main concern; stealing of login-credentials via session cookies is the main risk I think, since Javascript would still be able to grab cookies for the parent domain, i.e- if the uploads are to files.example.org, then they have access to cookies for example.org.

I'm not 100% certain if Javascript can access other sub-domains though, for example if Javascript hosted at files.example.org could access cookies for forums.example.org? Even if they do, I may have to sanitise the Javascript code to force them to use a specific domain, i.e- look for calls to document.cookie and other methods and force them to include a domain of files.example.org, plus disallow workarounds like eval.

Either that or maybe somehow remove all cookie access from Javascript and replace it with a custom function call that can only set cookies for the domain I choose? Not sure what the best option is here.
Arty wrote:So basically its not a good idea. But neither is allowing Flash.
Thanks for the advice, but the forum's purpose is the creation of these types of content, so not supporting it isn't really much of a choice ;)
User avatar
3Di
I've Been Banned!
Posts: 17538
Joined: Mon Apr 04, 2005 11:09 pm
Location: I'm with Ukraine 🇺🇦
Name: Marco
Contact:

Re: Handling User-Uploaded HTML5 Content (Replacing Flash)

Post by 3Di »

FWIW there is a topic that started about one year ago, related to this.

the resume of everything there, feel free to have a look I am just linking you to.
viewtopic.php?p=14371496#p14371496
🆓 Free support for our extensions also provided here: phpBB Studio
🚀 Looking for a specific feature or alternative option? We will rock you!
Please PM me only to request paid works. Thx. Buy me a coffee -> Image
My development's activity º PhpStorm's proud user º Extensions, Scripts, MOD porting, Update/Upgrades
Post Reply

Return to “phpBB Discussion”