|
#1
|
|||
|
|||
Enable HTML
How to enable html in torrent description?
Plz Help Me |
#2
|
||||
|
||||
post me your details.php
you can enable bbcode but not html since that would be unsafe and would get you hacked :) |
#3
|
|||
|
|||
You can use HTML tags too, it's perfectly safe if you implement it intelligently.
To do so, just strip out unwanted tags/attributes from the user input, prior to database escaping/storage. It will be suited to exactly what you want, and you won't have the unnecessary overhead/hassle of bbcode validation->parsing->html output. Besides, you'll need to strip unwanted tags/attributes and worry about security with bbcode anyway, so you might as well skip the middleman. |
#4
|
||||
|
||||
Do you realy know how dangerous that is?
have one A** add a semple java flash or you name it and Bam you got a world of hurt!!!! shut they can even add a redirect if they want to send your users where ever they want. So think about it do you realy want to allow HTML codes in your details?
__________________
Do not ask me to help you work on your site that is not phpMyBitTorrent Do not ask me to make a mod for any other source Do not Ask me to setup your site. I will no longer help you setup your site, there is a setup script if you have trouble with it post in the forum here or in BT.Manager™ forum My Current Demo is here http://demo.btmanager.org/ |
#5
|
|||
|
|||
HTML input can be perfectly safe.
I think you're mistaking "badly implemented, unchecked, raw HTML input" with "intelligently secured and whitelisted HTML input". Though granted, bbcode is often easier for the users to understand. If you don't want to allow flash embedding (and you shouldn't), just don't whitelist those tags. If you don't want the onhover attribute for elements (and again, you shouldn't), just strip those out. There is nothing intrinsically unsafe about HTML descriptions, idiotic developers are where the problems lies. |
#6
|
||||
|
||||
Quote:
The problem with allowing the injection of HTML is a complicated one. There is no 100% safe method to allow HTML and feel secure. Some of the issues and interactions are: 1. The obviously dangerous tags like SCRIPT and APPLET are not the only danger. Any injection of a URL can be dangerous. Any tag that allows for a URL (e.g., a, img, frame, ...) can be used for cross-site scripting and cookie stealing, which can allow someone to hack into your board. 2. Hackers can use various tricks that would result in a tag getting through the filter imposed by the PHP checker. Possible examples: a) <sc\0ript> becomes <script> b) <scr<embed>ipt> becomes <embed> or <script> 3. Then there is the issue of malicious tag attributes and events such as onclick and onmouseup. Potentially dangerous tags that accept URL's: A, APPLET, AREA, BASE, BGSOUND, BODY, EMBED, FORM, FRAME, IFRAME, ILAYER, IMG, ISINDEX, INPUT, LAYER, LINK, OBJECT, SCRIPT, SOUND, TABLE, TD, TH, TR Quote:
__________________
Do not ask me to help you work on your site that is not phpMyBitTorrent Do not ask me to make a mod for any other source Do not Ask me to setup your site. I will no longer help you setup your site, there is a setup script if you have trouble with it post in the forum here or in BT.Manager™ forum My Current Demo is here http://demo.btmanager.org/ |
#7
|
|||
|
|||
Note I said whitelist m8, that's to avoid any of the headaches you bring up ;) Only idiotic devs go with blacklists, because there's just an incredible amount of stuff you'd need to keep out... compared to the relatively small number you'd want to allow in.
You don't need to care or even know about all the malicious tags if you only go about whitelisting the ones you know are safe. For example, if you only want to allow stylistic tags like <strong> or <em> or <i>, you just whitelist those and scrape out any attributes (like onhover, and everything else you mention). MAGIC, completely secure without even giving a sh*t about h4x0r methods. Everything else would either be removed or escaped (perhaps with an additional system to notify staff when an attempt is made at using malicious tags). That's essentially what a bbcode system does, it gives you a set of whitelisted HTML tags which are (usually) properly secured against user input. The only thing is my system removes the work of building and maintaining a middle man, as well as the resources used by a bbcode compiling system (however neglible it may be). As for CSRF/XSS, that's the concern of your site's form input validation, not description stylings, regardless of whether you use raw HTML or a bbcode intermediary. You should definitely implement some nice regex to ensure things like image sources actually look like image sources, but at the end of the day if your page is insecure, anyone can setup a fake image-like link that redirects the browser to the insecure page. For example, both tbdev/torrentstrike have a hilarious little "bug" you might like. A person can setup a fake avatar.png file, which redirects the viewer to tracker.com/logout.php, so the viewer logs out every time they see the avatar There are other more serious ones, but that's the only one I dare make public :P All are shit security on the developers part, none of which is involved in their html/bbcode jazz. tl;dr: everything you mentioned is null and void, completely invalid based on what my suggestion actually was. I told the user what they need to do, but I don't know what their codebase is, or even what language their site is based on, so there's not much else I can do. Also, I'd like to smack your face for considering cookie forgery, almost all modern browsers are completely secure against any cookie theft method (short of actually hacking into the browser, at which point any of your site-sec is useless anyway). Cookies are locked to domains, so unless the idiot is handing out cookies that work on a wide range of domains (ie *.randomfreehost.com), there is no theft. Of course, most tracker coders do seem to be idiots... |
Tags |
enable , html |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
How to enable ADS in FTS 1.1 | yoligim | Free Torrent Source | 2 | 31st January 2010 22:27 |
.ts to .html | kenvelo17 | Template Shares | 1 | 18th December 2009 22:59 |
Enable HTML and bbcodes | epas | Torrent Strike | 2 | 23rd March 2009 14:15 |
Enable/Disable mods [ need help] | D3SI | TBDev | 0 | 10th October 2008 19:03 |
PHP/MySql/HTML/CSS/PhotoShop ( your all in one man ) | iKiller | Sell & Buy | 4 | 8th October 2008 20:30 |