HTML/BBcode in Signature not working

Posted: Wed May 12, 2004 5:35 pm

I think I'd cruise the phpbb forum and see if this is an issue there. I'm guessing its the way they htmlspecialchars() all post variables or something but I don't have time to really dig into it just now.

PS:
Don't post the question they don't like questions regarding ported versions!

Posted: Thu May 13, 2004 7:00 am

Ok this turns out to be a no brainer.
Make sure you add img to the allowed html in configuration.

Posted: Thu May 13, 2004 7:04 am

This is why I prefere the kses filter because it gives us conrtol over which attributes we are to allow for the tag in question. Its a pretty sure bet that without it the img tag would be exploited by some snert Exclamation

Regular Joined: Oct 22, 2003 Posts: 59

Ok, will give this a shot and will report back... thanks

Posted: Thu May 13, 2004 8:24 am

Ok to make this a little simpler and a little more complete I came up with the following additions.

To avoid loading the allowed arrays and stripslashes function when its not needed add it to the beginning of kses.php rather then mainfile.php (We have to include kses.php anyplace we are using those anyway).

To add some security to the rest of the post in includes/functions_post.php
after
if (!defined('IN_PHPBB'))
{
die('Hacking attempt');
}
add
include("../kses.php");
around line 202 you will find
if (!empty($message))
{
$bbcode_uid = ($bbcode_on) ? make_bbcode_uid() : '';
$message = prepare_message(trim($message), $html_on, $bbcode_on, $smilies_on, $bbcode_uid);
}
See line added below.
if (!empty($message))
{
$bbcode_uid = ($bbcode_on) ? make_bbcode_uid() : '';
// add the following line
$message = kses(my_stripslashes($message, $allowed));
$message = prepare_message(trim($message), $html_on, $bbcode_on, $smilies_on, $bbcode_uid);
}

This should clean any html in the post messages making it safe to have html enabled Razz

At least thats my story and I'm stickin to it Twisted Evil

.

A simple test to verify it is working would be to comment out the line for img tags in the allowed array then try to post an image. If its working the image should not be allowed now. Remove the comments and you should be able to post images.

The only anomoly I have found is the maxlen doesn't seem to effect the length of urls posts unless they are using the <a href format. I assume the auto url code uses bbcode or a different format of some sort for urls maybe I'll look at it sometime but not today Razz

Comments???

Client Joined: Jan 29, 2004 Posts: 624

sixonetonoffun wrote:

To add some security to the rest of the post in includes/functions_post.php
after
if (!defined('IN_PHPBB'))
{
die('Hacking attempt');
}
add...

Looks good. How might one call Raven's hack alert in that code instead of
die('Hacking attempt')?

Posted: Sun May 16, 2004 10:06 am

One more note here is that to use the dynamic siggy it may be you have to put the dynamic file in a directory of its own named as index.php and have the directory named mycoolsig.jpg that should fool the filters but now what else can we run from there? Uhg! I'm oughta here.

Posted: Sun May 16, 2004 10:19 am

Just a hypothetical question, my last post. Smile

This is all very good and I plan to utilize it on my site. I'm thinking now of using the random avatar thingie in signatures...

Posted: Sun May 16, 2004 10:29 am

Posted: Sun May 16, 2004 4:32 pm

Hehe Great minds think alike. Smile

Posted: Wed Jun 02, 2004 8:47 pm

Now, why doesn't bbcode or html work for me here in sigs??
Sentinel ™