March 27th, 2006 11:46 PM
Any Safe Way to Enable HTML on my vBulletin forum?
I am wondering about this. Also, where might I find more info on the reason HTML should be disabled in forums?
March 27th, 2006 11:57 PM
To enable html without being scared of somebody "hacking" your forum, simple put these in the censor field in the admin control panel. This way if somebody tries to use these, it will replace them with **** and in return wont work.
*crosses fingers that code tags show the code*
this should work, but if members whom really know what there doing can and most likely will find a way around the word censor.
<iframe </iframe <link </link <basefont </basefont <base </base <td </td <tr </tr <th </th <tfoot </tfoot <tbody </tbody <thead </thead <table </table <body </body <meta </meta <div </div <style </style <script </script <html </html <plaintext </plaintext <xmp </xmp <object <noframes <noembed <noscript <nojava onload onMouseover
March 28th, 2006 04:22 AM
There isn't a safe way to enable HTML, IMO. With any room for HTML in data validation there's enough room to insert script. It's way too complicated to have smart filtering against scripts when HTML is enabled at all. I don't know of any practical way to do it. If you follow front2back's advice, you'll be pretty wide open to attack. Sorry!
Look into OWASP filters, but that's not what you want, since you're doing the opposite. Oh well.
March 28th, 2006 06:41 AM
I do not know about vBulletin specifically, but there is only one way to safely allow HTML or any other code.
You can see how this is an excercise in uselessness?
You have to treat every single post as if it were within code tags.