Bravo List

Bravo List (http://www.bvlist.com/index.php)
-   Torrent Strike (http://www.bvlist.com/forumdisplay.php?f=21)
-   -   Enable HTML (http://www.bvlist.com/showthread.php?t=4924)

denys97 4th May 2010 19:20
Enable HTML
 
How to enable html in torrent description?
Plz Help Me

Tony 5th May 2010 04:01
post me your details.php

you can enable bbcode but not html since that would be unsafe and would get you hacked :)

MrPHP 5th May 2010 08:57
You can use HTML tags too, it's perfectly safe if you implement it intelligently.
To do so, just strip out unwanted tags/attributes from the user input, prior to database escaping/storage. It will be suited to exactly what you want, and you won't have the unnecessary overhead/hassle of bbcode validation->parsing->html output. Besides, you'll need to strip unwanted tags/attributes and worry about security with bbcode anyway, so you might as well skip the middleman.

joeroberts 6th May 2010 07:07
Quote:
Originally Posted by denys97 (Post 22832)
How to enable html in torrent description?
Plz Help Me
Do you realy know how dangerous that is?
have one A** add a semple java flash or you name it and Bam you got a world of hurt!!!!
shut they can even add a redirect if they want to send your users where ever they want.

So think about it do you realy want to allow HTML codes in your details?

MrPHP 6th May 2010 17:02
HTML input can be perfectly safe.

I think you're mistaking "badly implemented, unchecked, raw HTML input" with "intelligently secured and whitelisted HTML input".

Though granted, bbcode is often easier for the users to understand. If you don't want to allow flash embedding (and you shouldn't), just don't whitelist those tags.

If you don't want the onhover attribute for elements (and again, you shouldn't), just strip those out. There is nothing intrinsically unsafe about HTML descriptions, idiotic developers are where the problems lies.

joeroberts 8th May 2010 09:34
Quote:
Originally Posted by MrPHP (Post 22874)
HTML input can be perfectly safe.

I think you're mistaking "badly implemented, unchecked, raw HTML input" with "intelligently secured and whitelisted HTML input".

Though granted, bbcode is often easier for the users to understand. If you don't want to allow flash embedding (and you shouldn't), just don't whitelist those tags.

If you don't want the onhover attribute for elements (and again, you shouldn't), just strip those out. There is nothing intrinsically unsafe about HTML descriptions, idiotic developers are where the problems lies.
funny how you say it is completely safe the point out 2 you should not allow but you leave out meta tags and java tags and you do not even tell hem how to stop them
The problem with allowing the injection of HTML is a complicated one. There is no 100% safe method to allow HTML and feel secure. Some of the issues and interactions are:

1. The obviously dangerous tags like SCRIPT and APPLET are not the only danger. Any injection of a URL can be dangerous. Any tag that allows for a URL (e.g., a, img, frame, ...) can be used for cross-site scripting and cookie stealing, which can allow someone to hack into your board.

2. Hackers can use various tricks that would result in a tag getting through the filter imposed by the PHP checker. Possible examples:
a) becomes