Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> Raven's v7.0 Customized Distro
Author Message
sixonetonoffun
Spouse Contemplates Divorce


Joined: Jan 02, 2003
Posts: 2496

PostPosted: Wed May 12, 2004 5:35 pm Reply with quote

I think I'd cruise the phpbb forum and see if this is an issue there. I'm guessing its the way they htmlspecialchars() all post variables or something but I don't have time to really dig into it just now.

PS:
Don't post the question they don't like questions regarding ported versions!
 
View user's profile Send private message
sixonetonoffun
PostPosted: Thu May 13, 2004 7:00 am Reply with quote

Ok this turns out to be a no brainer.
Make sure you add img to the allowed html in configuration.
 
sixonetonoffun
PostPosted: Thu May 13, 2004 7:04 am Reply with quote

This is why I prefere the kses filter because it gives us conrtol over which attributes we are to allow for the tag in question. Its a pretty sure bet that without it the img tag would be exploited by some snert Exclamation
 
Pride
Regular
Regular


Joined: Oct 22, 2003
Posts: 59

PostPosted: Thu May 13, 2004 7:45 am Reply with quote

Ok, will give this a shot and will report back... thanks
 
View user's profile Send private message
sixonetonoffun
PostPosted: Thu May 13, 2004 8:24 am Reply with quote

Ok to make this a little simpler and a little more complete I came up with the following additions.

To avoid loading the allowed arrays and stripslashes function when its not needed add it to the beginning of kses.php rather then mainfile.php (We have to include kses.php anyplace we are using those anyway).

To add some security to the rest of the post in includes/functions_post.php
after
if (!defined('IN_PHPBB'))
{
die('Hacking attempt');
}
add
include("../kses.php");
around line 202 you will find
if (!empty($message))
{
$bbcode_uid = ($bbcode_on) ? make_bbcode_uid() : '';
$message = prepare_message(trim($message), $html_on, $bbcode_on, $smilies_on, $bbcode_uid);
}
See line added below.
if (!empty($message))
{
$bbcode_uid = ($bbcode_on) ? make_bbcode_uid() : '';
// add the following line
$message = kses(my_stripslashes($message, $allowed));
$message = prepare_message(trim($message), $html_on, $bbcode_on, $smilies_on, $bbcode_uid);
}

This should clean any html in the post messages making it safe to have html enabled Razz At least thats my story and I'm stickin to it Twisted Evil .

A simple test to verify it is working would be to comment out the line for img tags in the allowed array then try to post an image. If its working the image should not be allowed now. Remove the comments and you should be able to post images.

The only anomoly I have found is the maxlen doesn't seem to effect the length of urls posts unless they are using the <a href format. I assume the auto url code uses bbcode or a different format of some sort for urls maybe I'll look at it sometime but not today Razz

Comments???
 
southern
Client


Joined: Jan 29, 2004
Posts: 591
Location: Texas

PostPosted: Sat May 15, 2004 5:31 pm Reply with quote

sixonetonoffun wrote:
To add some security to the rest of the post in includes/functions_post.php
after
if (!defined('IN_PHPBB'))
{
die('Hacking attempt');
}
add...


Looks good. How might one call Raven's hack alert in that code instead of
die('Hacking attempt')?
 
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number
sixonetonoffun
PostPosted: Sun May 16, 2004 10:06 am Reply with quote

One more note here is that to use the dynamic siggy it may be you have to put the dynamic file in a directory of its own named as index.php and have the directory named mycoolsig.jpg that should fool the filters but now what else can we run from there? Uhg! I'm oughta here.
 
southern
PostPosted: Sun May 16, 2004 10:19 am Reply with quote

Just a hypothetical question, my last post. Smile This is all very good and I plan to utilize it on my site. I'm thinking now of using the random avatar thingie in signatures...
 
sixonetonoffun
PostPosted: Sun May 16, 2004 10:29 am Reply with quote

Image
 
southern
PostPosted: Sun May 16, 2004 4:32 pm Reply with quote

Hehe Great minds think alike. Smile
 
southern
PostPosted: Wed Jun 02, 2004 8:47 pm Reply with quote

Now, why doesn't bbcode or html work for me here in sigs??
Sentinel ™
 
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> Raven's v7.0 Customized Distro

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©