MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 Security Management and Support > Is this MyCode secure?
Full Version: Is this MyCode secure?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

Rymax99

2013-11-08, 09:41 PM
Regex:
\[soundcloud\](.*?)\[/soundcloud\]

Replacement:
<object height="81" width="100%"><param name="movie" value="http://player.soundcloud.com/player.swf?url=$1&amp;show_comments=false"></param><param name="allowscriptaccess" value="always"></param><embed allowscriptaccess="always" height="81" src="http://player.soundcloud.com/player.swf?url=$1&amp;show_comments=false" type="application/x-shockwave-flash" width="100%"></embed></object>


Thanks.

Krytic

2013-11-08, 10:03 PM
[mycode]"><script>alert("XSS");</script>[/mycode]

Assuming you use the regex of (.*?) then nope. Essentially that means anything is allowed.

Destroy666

2013-11-08, 10:44 PM
That's only pure HTML with one possible replacement spot, not MyCode. As said above, the much more important part is regex, which you didn't attach. We can't guess if it's secure without it.

If I'm not mistaken, the required input is link to Soundloud. So you could use Easy MyCodes plugin from http://mybbhacks.zingaburga.com in regex for fully proper sanitisation.

Rymax99

2013-11-08, 11:52 PM
My bad, my regex is the following:
\[soundcloud\](.*?)\[/soundcloud\]
I've edited to: \[soundcloud\]https://soundcloud.com/(.*?)\[/soundcloud\]
Which is secure, correct? Also this tutorial should be removed, as the regex would be insecure: http://community.mybb.com/thread-113184.html

Krytic

2013-11-09, 09:03 AM
Still no. Anything captured through the (.*?) regex is insecure. I don't know what soundcloud URL's look like, so I can't offer an opinion on which regex to use, but do some googling and you should come up with some good tutorials.

That tutorial probably won't be removed. Almost all tutorials use (.*?) unfortunately.

Cameron:D

2013-11-09, 09:31 AM
MyBB does have filtering to prevent people inserting a <script> or JS via other elements (such as onclick), probably because people would do things like .*, that said I'd still discourage it (It just doesn't feel safe).

I use the following MyCode for Soundcloud:
Regex:
\[soundcloud\](https?:\/\/(www\.)?soundcloud\.com\/[a-z0-9\-\/]*)\[/soundcloud\]
Replacement:
<iframe src="http://w.soundcloud.com/player/?url=$1" width="100%" height="166" scrolling="no" frameborder="no"></iframe>
I recommend the newer HTML5 player/embed over the dated Flash one (Because really, we're in 2013 now). You could probably also change the regex to
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 Security Management and Support > Is this MyCode secure?