Page 1 of 1

Is embedding HTML really as bad as I think it is?

Posted: Thu Apr 23, 2009 11:04 pm
by pumpkinkid
I am writing my own customized profile mod that I plan on sharing with the PHPBB community once completed. Looking at sites like MySpace, Facebook, etc.. I have to ask myself... how do they do it?

I am scared to allow users to embed their own HTML code. Reason being that I know that there are many things that can go wrong with that. I know that it is simple to do... just provide a form that collects the data and stores it for later use... but that's what scares me...

How do I prevent someone from writing a script that would allow them to browse my files for example? worse yet, since PHPBB is open source, couldn't they create a script that could give them direct access to the database?

I am sure you can see all the possible scenarios I am facing... Any ideas? Should I just put my foot down and just say no?

Please help me!

Re: Is embedding HTML really as bad as I think it is?

Posted: Fri Apr 24, 2009 5:44 am
by EXreaction
There is already at least one mod for putting HTML in posts/signatures.

It is a huge security problem as they can tell your browser to do whatever they want when you view a page (something as simple as a redirect, changing links, using some scripting to change your password, etc, etc).

As you can see, the other sites that do allow HTML and such usually are pretty limited in what can be done, plus I am sure you hear of how often vulnerabilities are found with those sites.

Re: Is embedding HTML really as bad as I think it is?

Posted: Fri Apr 24, 2009 3:49 pm
by pumpkinkid
Yes, I have heard... I stay away from both Myspace and Facebook because of that...

It's sad that there is no way to limit the variables that reach or leave the embedded object.... At least none that I can see...

I think I'm just going to code the most popular objects into my mod and allow users to input the data needed to make each of them work... But that can present it's own problems...