Bravo List
Register
Go Back   > Bravo List > Source Code > Archived Trackers > Torrent Strike
Reply
  #1  
Old 4th May 2010, 19:20
denys97 denys97 is offline
Member
 
Join Date: Mar 2010
P2P
Posts: 1
Default Enable HTML
How to enable html in torrent description?
Plz Help Me
Reply With Quote
  #2  
Old 5th May 2010, 04:01
Tony's Avatar
Tony Tony is offline
Senior Member
 
Join Date: Mar 2008
P2P
Posts: 182
Default
post me your details.php

you can enable bbcode but not html since that would be unsafe and would get you hacked :)
Reply With Quote
  #3  
Old 5th May 2010, 08:57
MrPHP MrPHP is offline
Senior Member
 
Join Date: Apr 2010
United States
Posts: 19
Default
You can use HTML tags too, it's perfectly safe if you implement it intelligently.
To do so, just strip out unwanted tags/attributes from the user input, prior to database escaping/storage. It will be suited to exactly what you want, and you won't have the unnecessary overhead/hassle of bbcode validation->parsing->html output. Besides, you'll need to strip unwanted tags/attributes and worry about security with bbcode anyway, so you might as well skip the middleman.
Reply With Quote
  #4  
Old 6th May 2010, 07:07
joeroberts's Avatar
joeroberts joeroberts is offline
BT.Manager Owner
 
Join Date: Jan 2008
United States
Posts: 2,113
Default
Quote:
Originally Posted by denys97 View Post
How to enable html in torrent description?
Plz Help Me
Do you realy know how dangerous that is?
have one A** add a semple java flash or you name it and Bam you got a world of hurt!!!!
shut they can even add a redirect if they want to send your users where ever they want.

So think about it do you realy want to allow HTML codes in your details?
__________________
Do not ask me to help you work on your site that is not phpMyBitTorrent
Do not ask me to make a mod for any other source
Do not Ask me to setup your site.
I will no longer help you setup your site, there is a setup script if you have trouble with it post in the forum here or in BT.Manager™ forum
My Current Demo is here http://demo.btmanager.org/
Reply With Quote
  #5  
Old 6th May 2010, 17:02
MrPHP MrPHP is offline
Senior Member
 
Join Date: Apr 2010
United States
Posts: 19
Default
HTML input can be perfectly safe.

I think you're mistaking "badly implemented, unchecked, raw HTML input" with "intelligently secured and whitelisted HTML input".

Though granted, bbcode is often easier for the users to understand. If you don't want to allow flash embedding (and you shouldn't), just don't whitelist those tags.

If you don't want the onhover attribute for elements (and again, you shouldn't), just strip those out. There is nothing intrinsically unsafe about HTML descriptions, idiotic developers are where the problems lies.
Reply With Quote
  #6  
Old 8th May 2010, 09:34
joeroberts's Avatar
joeroberts joeroberts is offline
BT.Manager Owner
 
Join Date: Jan 2008
United States
Posts: 2,113
Default
Quote:
Originally Posted by MrPHP View Post
HTML input can be perfectly safe.

I think you're mistaking "badly implemented, unchecked, raw HTML input" with "intelligently secured and whitelisted HTML input".

Though granted, bbcode is often easier for the users to understand. If you don't want to allow flash embedding (and you shouldn't), just don't whitelist those tags.

If you don't want the onhover attribute for elements (and again, you shouldn't), just strip those out. There is nothing intrinsically unsafe about HTML descriptions, idiotic developers are where the problems lies.
funny how you say it is completely safe the point out 2 you should not allow but you leave out meta tags and java tags and you do not even tell hem how to stop them
The problem with allowing the injection of HTML is a complicated one. There is no 100% safe method to allow HTML and feel secure. Some of the issues and interactions are:

1. The obviously dangerous tags like SCRIPT and APPLET are not the only danger. Any injection of a URL can be dangerous. Any tag that allows for a URL (e.g., a, img, frame, ...) can be used for cross-site scripting and cookie stealing, which can allow someone to hack into your board.

2. Hackers can use various tricks that would result in a tag getting through the filter imposed by the PHP checker. Possible examples:
a) <sc\0ript> becomes <script>
b) <scr<embed>ipt> becomes <embed> or <script>

3. Then there is the issue of malicious tag attributes and events such as onclick and onmouseup.
Potentially dangerous tags that accept URL's:
A, APPLET, AREA, BASE, BGSOUND, BODY, EMBED, FORM, FRAME, IFRAME, ILAYER, IMG, ISINDEX, INPUT, LAYER, LINK, OBJECT, SCRIPT, SOUND, TABLE, TD, TH, TR

Quote:
idiotic developers are where the problems lies

__________________
Do not ask me to help you work on your site that is not phpMyBitTorrent
Do not ask me to make a mod for any other source
Do not Ask me to setup your site.
I will no longer help you setup your site, there is a setup script if you have trouble with it post in the forum here or in BT.Manager™ forum
My Current Demo is here http://demo.btmanager.org/
Reply With Quote
  #7  
Old 8th May 2010, 21:04
MrPHP MrPHP is offline
Senior Member
 
Join Date: Apr 2010
United States
Posts: 19
Default
Note I said whitelist m8, that's to avoid any of the headaches you bring up ;) Only idiotic devs go with blacklists, because there's just an incredible amount of stuff you'd need to keep out... compared to the relatively small number you'd want to allow in.

You don't need to care or even know about all the malicious tags if you only go about whitelisting the ones you know are safe. For example, if you only want to allow stylistic tags like <strong> or <em> or <i>, you just whitelist those and scrape out any attributes (like onhover, and everything else you mention). MAGIC, completely secure without even giving a sh*t about h4x0r methods. Everything else would either be removed or escaped (perhaps with an additional system to notify staff when an attempt is made at using malicious tags).

That's essentially what a bbcode system does, it gives you a set of whitelisted HTML tags which are (usually) properly secured against user input. The only thing is my system removes the work of building and maintaining a middle man, as well as the resources used by a bbcode compiling system (however neglible it may be).

As for CSRF/XSS, that's the concern of your site's form input validation, not description stylings, regardless of whether you use raw HTML or a bbcode intermediary. You should definitely implement some nice regex to ensure things like image sources actually look like image sources, but at the end of the day if your page is insecure, anyone can setup a fake image-like link that redirects the browser to the insecure page. For example, both tbdev/torrentstrike have a hilarious little "bug" you might like. A person can setup a fake avatar.png file, which redirects the viewer to tracker.com/logout.php, so the viewer logs out every time they see the avatar There are other more serious ones, but that's the only one I dare make public :P All are shit security on the developers part, none of which is involved in their html/bbcode jazz.

tl;dr: everything you mentioned is null and void, completely invalid based on what my suggestion actually was. I told the user what they need to do, but I don't know what their codebase is, or even what language their site is based on, so there's not much else I can do.

Also, I'd like to smack your face for considering cookie forgery, almost all modern browsers are completely secure against any cookie theft method (short of actually hacking into the browser, at which point any of your site-sec is useless anyway). Cookies are locked to domains, so unless the idiot is handing out cookies that work on a wide range of domains (ie *.randomfreehost.com), there is no theft. Of course, most tracker coders do seem to be idiots...
Reply With Quote
Reply

Tags
enable , html

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
How to enable ADS in FTS 1.1 yoligim Free Torrent Source 2 31st January 2010 22:27
.ts to .html kenvelo17 Template Shares 1 18th December 2009 22:59
Enable HTML and bbcodes epas Torrent Strike 2 23rd March 2009 14:15
Enable/Disable mods [ need help] D3SI TBDev 0 10th October 2008 19:03
PHP/MySql/HTML/CSS/PhotoShop ( your all in one man ) iKiller Sell & Buy 4 8th October 2008 20:30



All times are GMT +2. The time now is 14:03. vBulletin skin by ForumMonkeys. Powered by vBulletin® Version 3.8.11 Beta 3
Copyright ©2000 - 2024, vBulletin Solutions Inc.