How to embed other page

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Anti-Spam Guide
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
nadalbg
Registered User
Posts: 273
Joined: Wed Jul 16, 2008 12:58 pm
Contact:

How to embed other page

Post by nadalbg »

How do I embed other page simply when posting ?
User avatar
Phil
Former Team Member
Posts: 10403
Joined: Sat Nov 25, 2006 4:11 am
Name: Phil Crumm
Contact:

Re: How to embed other page

Post by Phil »

Do you mean you want to embed a page within the contents of your post? If so, you could create an iframe BBCode, but keep in mind that opens you up to a huge amount of potential vulnerabilities.
Moving on, with the wind. | My Corner of the Web
User avatar
Brogan
Registered User
Posts: 479
Joined: Thu Jul 10, 2008 10:12 pm
Location: Docklands, London, UK

Re: How to embed other page

Post by Brogan »

iWisdom wrote:If so, you could create an iframe BBCode, but keep in mind that opens you up to a huge amount of potential vulnerabilities.
Can you expand on that?

What exactly is the risk with having iframe BBCode?

Thanks.
User avatar
jimdunn
Registered User
Posts: 1570
Joined: Tue Mar 25, 2008 11:49 am
Location: Australia

Re: How to embed other page

Post by jimdunn »

Because if the iframe BBcode is created in such a way that the user supplies the url to be loaded in the iframe (which it would be for a "general purpose" code), that means that any web page (and any malicious code it may contain) could be embedded in your forum by way of the code.

In a discussion I saw about this, a user supposed it would be ok if he didn't make the button available for the BBcode, and gave it a name only he knew - then just made use of it himself. The flaw in that reasoning was that another user only needs to use the "Quote" button on one of his posts to see how it is constructed.
User avatar
Brogan
Registered User
Posts: 479
Joined: Thu Jul 10, 2008 10:12 pm
Location: Docklands, London, UK

Re: How to embed other page

Post by Brogan »

Thanks for the reply.

I hadn't considered the risks with allowing iframe code to be used.
nadalbg
Registered User
Posts: 273
Joined: Wed Jul 16, 2008 12:58 pm
Contact:

Re: How to embed other page

Post by nadalbg »

iWisdom wrote:Do you mean you want to embed a page within the contents of your post? If so, you could create an iframe BBCode, but keep in mind that opens you up to a huge amount of potential vulnerabilities.
Yes, I mean to embed in my post.
How can I do it anyway. I desperately want to post something in html and this seems better option than enabling html.
User avatar
jimdunn
Registered User
Posts: 1570
Joined: Tue Mar 25, 2008 11:49 am
Location: Australia

Re: How to embed other page

Post by jimdunn »

just to humour me - can you say what it is you want to post ?

There might be an easy solution. :)
some blind fool
Registered User
Posts: 409
Joined: Sat Aug 19, 2006 5:28 pm

Re: How to embed other page

Post by some blind fool »

quick question:
how much less risky is using something like this to attempt locking the use of iframe files to one folder and it's subfolders?

Code: Select all

<iframe src="http://www.mysite.com/path/to/iframe/files/{TEXT}"></iframe>
i have no use for iframes, but curiousity is evil. :)
User avatar
jimdunn
Registered User
Posts: 1570
Joined: Tue Mar 25, 2008 11:49 am
Location: Australia

Re: How to embed other page

Post by jimdunn »

Hello SBF - we meet again :)

As I tried to imply earlier, you can use iframes in a BBcode without any sort of risk.

But the general question about an iframes code implies using it as a General Purpose code - in which case I believe the things I said earlier apply.

But you've probably had less whisky than me - so eLaborate on your evil solution...

:) Jim
some blind fool
Registered User
Posts: 409
Joined: Sat Aug 19, 2006 5:28 pm

Re: How to embed other page

Post by some blind fool »

greetings, jim. indeed we do. :)

well, let's take the current request - "i want to include a file in a post. how?"

it's been pointed out that if we just use this,

Code: Select all

<iframe src="{TEXT}"></iframe>
then someone can come along and include something like this,

Code: Select all

<iframe src="http://www.pornnetwork.com/malicousfile.html">
let's say the file we want to include is located in "http://www.mysite.com/myiframefiles/". if i instead set the iframe bbcode to use

Code: Select all

<iframe src="http://www.mysite.com/myiframefiles/{TEXT}"></iframe>
thus setting a base url for the files included, do we prevent other users from posting something like the not-so-nice link above?

another token might work better, but i don't know them all off-hand. :)

i've definately had less wiskey than you. :D haven't had any alchy yet today...but that sounds like a good idea.
User avatar
jimdunn
Registered User
Posts: 1570
Joined: Tue Mar 25, 2008 11:49 am
Location: Australia

Re: How to embed other page

Post by jimdunn »

As far as I can see, Mr SBF :)

So long as you don't let the user specify the url in the bbCode you construct, it's perfectly safe.
The problem occurs when you let them do so,

I'm by no means expert enough to know when I've opened that gap, so, being the wuss that I am, I'd rather give them other means (ie other bbCodes) than a great big iframe gap.
some blind fool
Registered User
Posts: 409
Joined: Sat Aug 19, 2006 5:28 pm

Re: How to embed other page

Post by some blind fool »

jim,

that's what i think, too. but, i'm in the same boat as far as knowing how problematic iframes can be. i've had one bad experience with them, and that was more than enough. i'd much rather give a bunch of different ways to format text and include graphics than use an iframe for anything.
nadalbg wrote:I desperately want to post something in html and this seems better option than enabling html.
okay, since you're talking about "enabling html" which isn't an option in phpBB 3, i have to ask. are you using phpBB 2? if so, you need a mod to create the iframe bbcode, and will have to hunt it down in the 2.x mod forums. :)
tietai
Registered User
Posts: 5
Joined: Sun Jun 29, 2008 1:46 pm
Contact:

Re: How to embed other page

Post by tietai »

I hadn't considered the risks with allowing iframe code to be used.
User avatar
jimdunn
Registered User
Posts: 1570
Joined: Tue Mar 25, 2008 11:49 am
Location: Australia

Re: How to embed other page

Post by jimdunn »

tietai wrote:I hadn't considered the risks with allowing iframe code to be used.
tietai: Nobody is saying you can't do that (as I'm sure you understand)

The discusion is about whether it's safe, and if so, in what circumstances.

I'm glad you found it interesting enough to follow.
User avatar
Phil
Former Team Member
Posts: 10403
Joined: Sat Nov 25, 2006 4:11 am
Name: Phil Crumm
Contact:

Re: How to embed other page

Post by Phil »

some blind fool wrote:". if i instead set the iframe bbcode to use

Code: Select all

<iframe src="http://www.mysite.com/myiframefiles/{TEXT}"></iframe>
thus setting a base url for the files included, do we prevent other users from posting something like the not-so-nice link above?
You could also do a directory transversal via .. and then log the user out using that method.
Moving on, with the wind. | My Corner of the Web
Locked

Return to “[3.0.x] Support Forum”