Allowing (some) HTML in posts

Post Reply

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
TonyG Members Profile Find Members Posts Newbie Joined: 07 August 2009 Location: Extremadura Status: Offline Points: 5	Post Options Post Reply Quote TonyG Report Post Thanks(0) Quote Reply Topic: Allowing (some) HTML in posts Posted: 17 August 2009 at 12:33pm
	I need to allow some HTML in my forum. Nothing really dangerous; some tables, fonts, img and little more. I have enabled blnHTMLView in RTE_setup This is my test post It seems OK, BUT when posted it looks like this And comming back to edit I find Bacground color has gone... and a pair of <t> have appeared. Any ideas about this? Thanks in advance

WebWiz-Bruce Members Profile Find Members Posts Admin Group Web Wiz Developer Joined: 03 September 2001 Location: Bournemouth Status: Offline Points: 9844	Post Options Post Reply Quote WebWiz-Bruce Report Post Thanks(0) Quote Reply Posted: 17 August 2009 at 1:09pm
	The forum is built as a way to discuss with other people and not as a design tool. This means that HTML content that is not going to aid discussions and unsafe HTML is stripped from posts by the security filters. You can edit the file functions/unsafe_HTML_tags_inc.asp to change what is stripped from posts, however you should be very careful as you would be very surprised what can be used to launch XSS Hacks against forums including quite allot of CCS that you would use for styling.
	Web Wiz Forums Hosting ASP.NET Web Hosting

TonyG Members Profile Find Members Posts Newbie Joined: 07 August 2009 Location: Extremadura Status: Offline Points: 5	Post Options Post Reply Quote TonyG Report Post Thanks(0) Quote Reply Posted: 17 August 2009 at 2:14pm
	I know you're right, and I don't like the idea very much but many users of the old forum love using tables inside tables with backdrounds over backdrounds (all they saw in MSN groups). I am plannig to build a new forum and WWF seems a good chioce, but if i cannot give them tables and tables (and very few other things, I promise) I would need another software. I've changed saryUnSafeHTMLtags(108) = "bgColor" in unsafe_HTML_tags_inc and the background now works. I hope that won't open a security hole I'll take a look at "XSS Hacks" Thanks for your advice

123Simples Members Profile Find Members Posts Senior Member Joined: 08 July 2007 Location: United Kingdom Status: Offline Points: 1192	Post Options Post Reply Quote 123Simples Report Post Thanks(0) Quote Reply Posted: 17 August 2009 at 5:54pm
	Hi TonyG Welcome to Web Wiz As Bruce says forums are by nature a discussion tool and hence what you maybe want - I'm not sure any other forum software worth its salt, will allow you to do this. Yes I expect you can edit out unsafe tags left right and centre, but then you also risk having your forum (perhaps your site, even your server) compromised so I would suggest caution rather than whether or not a table has a pretty colour to it However, I've seen something similar done on other forums where tables and such are used Personally I'd settle for security first, tables second

TonyG Members Profile Find Members Posts Newbie Joined: 07 August 2009 Location: Extremadura Status: Offline Points: 5	Post Options Post Reply Quote TonyG Report Post Thanks(0) Quote Reply Posted: 18 August 2009 at 2:54pm
	Unfortunatelly, MrTWS, most of the posts in the forum that is currently running are something like this: And this is what they want in the new forum. Security? Who cares! It's only me who have to deal with that. Most of this "artistics" is done with table, border and background, cellspacing and cellpadding. I don't think this these tags to be specially dangerous, but I might be wrong. I'm planning to enable as few tags as possible in order to keep risk at an acceptable level. The "old" forum has been running since 2005 with few problems using tables inside tables inside tables with classes that don't exist, div's, p's, font's... Maybe we have been lucky all this time. Ah! I almost forget. Another thing they love is playing music. Bgsound is their favourite (I hate it). It's not my choice, it's only my work. I understand you both. I hope you understand me.

WebWiz-Bruce Members Profile Find Members Posts Admin Group Web Wiz Developer Joined: 03 September 2001 Location: Bournemouth Status: Offline Points: 9844	Post Options Post Reply Quote WebWiz-Bruce Report Post Thanks(0) Quote Reply Posted: 18 August 2009 at 4:22pm
	If you are not concerned about security then you can remove as much as you like from the unsafe HTML file which should allow everything you want. However you should certainly leave in things like Script, JavaScript, VbScript, and IFrame as these are the most common things XXS Hackers will use.
	Web Wiz Forums Hosting ASP.NET Web Hosting

TonyG Members Profile Find Members Posts Newbie Joined: 07 August 2009 Location: Extremadura Status: Offline Points: 5	Post Options Post Reply Quote TonyG Report Post Thanks(0) Quote Reply Posted: 18 August 2009 at 9:00pm
	Thanks to both of you for your advice. I'll be as careful as possible. I promise

123Simples Members Profile Find Members Posts Senior Member Joined: 08 July 2007 Location: United Kingdom Status: Offline Points: 1192	Post Options Post Reply Quote 123Simples Report Post Thanks(0) Quote Reply Posted: 19 August 2009 at 6:36pm
	Good luck Tony
	Visit 123 Simples Web Design

Post Reply

Forum Jump

Forum Permissions View Drop Down

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot delete your posts in this forum
You cannot edit your posts in this forum
You cannot create polls in this forum
You cannot vote in polls in this forum