• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

HTML Tags! What's the chance?

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    HTML Tags! What's the chance?

    Hey Moderators.

    Whats the chance of CUK re-allowing HTML & Image inserts again. Yes, I know the history that Fortune Green got a little carried away. But according to the latest poll the average age of a CUK Bulletin poster is not far away from pensioner age.

    Lets reintroduce HTML inserts for a while, what harm could it do?

    MF (the voice of the 'cough' people).
    What happens in General, stays in General.
    You know what they say about assumptions!

    #2
    Originally posted by MarillionFan View Post
    Hey Moderators.

    Whats the chance of CUK re-allowing HTML & Image inserts again. Yes, I know the history that Fortune Green got a little carried away. But according to the latest poll the average age of a CUK Bulletin poster is not far away from pensioner age.

    Lets reintroduce HTML inserts for a while, what harm could it do?

    MF (the voice of the 'cough' people).
    and a live cam feed please!
    "A people that elect corrupt politicians, imposters, thieves and traitors are not victims, but accomplices," George Orwell

    Comment


      #3
      Originally posted by Paddy View Post
      and a live cam feed please!
      Don't feed the trolls!!!

      Comment


        #4
        I don't think that would be a good idea. From a cursory glance at it, the vBulletin HTML sanitisation code might fall some way short of being secure against a variety of nasty attack vectors.

        It always surprises me that people think accepting any old HTML is easy; I'm not suggesting that the vBulletin developers think that, but the existence of this thread implies that some people just don't get the risks. For example,

        HTML Code:
        <IMG SRC=java\0script:alert(\"XSS\")>
        can be FTpWn on IE6 (depending on how it's been patched). Replace that alert(\"XSS\") with something like...well, better not say, but I could probably get the cookies of everybody using such an IE6 installation, log in here as any of them, and say some things in their name that they might not agree with

        Cross-site scripting (XSS) is very hard to guard against; even Google, Yahoo!, and Microsoft fall victim to it occasionally. When I was at Y! there was an internal beta that was supposed to have gone through all the internal security reviews, which are unbelievably meticulous. About five minutes after we'd received the email inviting us to try it, my colleague at the next desk burst out laughing and cried "Cross-site scripting in the comments!"

        In Y!'s defence, it turned out the project team had made changes after the Paranoids' review; if they hadn't been a bunch of student interns doing a summer project, they would have been summarily dismissed for such a gross breach of security processes. As it was, they learnt that Y! Europe are the ones Y! California have to be wary of
        Last edited by NickFitz; 20 February 2010, 04:58. Reason: Oops, put somebody's name in there :(

        Comment


          #5
          Originally posted by NickFitz View Post
          ...techie stuff I have not the vaguest comprehension of.....

          Drew at the next desk burst out laughing and cried "Cross-site scripting in the comments!"

          ...other stuff I have not the vaguest comprehension of.....
          No Nick what I said was "Cross stitching never a dull moment"

          Sorry for any misunderstanding

          Comment


            #6
            Originally posted by Drewster View Post
            No Nick what I said was "Cross stitching never a dull moment"

            Sorry for any misunderstanding
            Ah crap, so much for my edit removing his name

            Still, I don't suppose he'll ever see this, or care about it if he does

            Comment


              #7
              You don't need html tags for images, vBulletin has an [IMG] tag. It just needs to be re-enabled.

              Comment


                #8
                Originally posted by NickFitz View Post
                Ah crap, so much for my edit removing his name

                Still, I don't suppose he'll ever see this, or care about it if he does
                C'mon Nick you disappoint me! Shirley you can edit my post quoting your post to remove the offending word.....
                Oh but that will still leave the possibility of him deducing the reference from my UserName

                Could you edit the CUK database changing all references to my User! (or even just change my UserName)......

                Or possibly just leave it!

                Comment


                  #9
                  I'm on a forum which limited what HTML could be used, but allowed the style tag. Someone figured out how to make a post which would change others' avatars, etc.

                  Another forum I'm on allows you to put arbitrary Flash in your posts/sigs. Hugely annoying and I'm perhaps a gaping security hole too?
                  Originally posted by MaryPoppins
                  I'd still not breastfeed a nazi
                  Originally posted by vetran
                  Urine is quite nourishing

                  Comment


                    #10
                    Even if it was allowed back, someone would post an offensive image deliberately in order to get it removed.

                    Not all posters to CUK are altruistic or nice people.
                    Of all tyrannies, a tyranny sincerely exercised for the good of its victims may be the most oppressive. It would be better to live under robber barons than under omnipotent moral busybodies. The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end for they do so with the approval of their own conscience.

                    C.S. Lewis

                    Comment

                    Working...
                    X