Is embedding HTML really as bad as I think it is?

Discussion forum for MOD Writers regarding MOD Development.
Locked
pumpkinkid
Registered User
Posts: 91
Joined: Wed Oct 31, 2007 3:36 am

Is embedding HTML really as bad as I think it is?

Post by pumpkinkid »

I am writing my own customized profile mod that I plan on sharing with the PHPBB community once completed. Looking at sites like MySpace, Facebook, etc.. I have to ask myself... how do they do it?

I am scared to allow users to embed their own HTML code. Reason being that I know that there are many things that can go wrong with that. I know that it is simple to do... just provide a form that collects the data and stores it for later use... but that's what scares me...

How do I prevent someone from writing a script that would allow them to browse my files for example? worse yet, since PHPBB is open source, couldn't they create a script that could give them direct access to the database?

I am sure you can see all the possible scenarios I am facing... Any ideas? Should I just put my foot down and just say no?

Please help me!

User avatar
EXreaction
Former Team Member
Posts: 5666
Joined: Sun Aug 21, 2005 9:31 pm
Location: Wisconsin, U.S.
Name: Nathan

Re: Is embedding HTML really as bad as I think it is?

Post by EXreaction »

There is already at least one mod for putting HTML in posts/signatures.

It is a huge security problem as they can tell your browser to do whatever they want when you view a page (something as simple as a redirect, changing links, using some scripting to change your password, etc, etc).

As you can see, the other sites that do allow HTML and such usually are pretty limited in what can be done, plus I am sure you hear of how often vulnerabilities are found with those sites.

pumpkinkid
Registered User
Posts: 91
Joined: Wed Oct 31, 2007 3:36 am

Re: Is embedding HTML really as bad as I think it is?

Post by pumpkinkid »

Yes, I have heard... I stay away from both Myspace and Facebook because of that...

It's sad that there is no way to limit the variables that reach or leave the embedded object.... At least none that I can see...

I think I'm just going to code the most popular objects into my mod and allow users to input the data needed to make each of them work... But that can present it's own problems...

Locked

Return to “[3.0.x] MOD Writers Discussion”