MyBB Community Forums

MyBB Community Forums > Resources > Tutorials > Add User Title HTML
Full Version: Add User Title HTML
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2

Vinny

2014-11-14, 02:47 PM
Hello Guys,
In this version of MyBB is present a problem with HTML on User Title, ok, enjoy this mini tutorial for easy fix that.

Go to your FTP and go to "inc/functions_post.php" edit that and go to line 269

The line 269 present that:

$post['usertitle'] = htmlspecialchars_uni($post['usertitle']);

Replace that with:

// $post['usertitle'] = htmlspecialchars_uni($post['usertitle']);

Now go to ACP and on Title of User make an HTML and in postbit is present an image and star!

PS: Thanks to Dvdxseo for help me on italian forum!
PS2: Don't allow the user to change a User Title is a vulnerable for XSS

Bye!

Omar G.

2014-11-14, 03:58 PM
so users can now insert any HTML they want to?

Vinny

2014-11-14, 04:05 PM
(2014-11-14, 03:58 PM)Omar G. Wrote: [ -> ]so users can now insert any HTML they want to?

Yes, in postbit and profile view a result of html code.

Destroy666

2014-11-14, 04:41 PM
And this is called a XSS vulnerability.. You're basically advising other people to make their forum less secure.

Vinny

2014-11-14, 04:44 PM
(2014-11-14, 04:41 PM)Destroy666 Wrote: [ -> ]And this is called a XSS vulnerability.. You're basically advising other people to make their forum less secure.

But i use that for this:
[Image: 04b0e-43addd01-76ab-4643-bf60-2501ce0fc7cd.png]

Not for get another forum less secure.
If you allow a user to change a user title the vulnerability is here but if you don't allow user to change user title the vulnerability is nothing.

Omar G.

2014-11-14, 05:41 PM
I see, so users shouldn't be allowed to change their titles if you do implement this modification. You should probable have mentioned that.

Vinny

2014-11-14, 05:43 PM
Yes i have say:
user allow to change user title? XSS.
user don't allow? Nothing Big Grin

martec

2014-11-15, 03:20 AM
???

why not use User Stars or Group Image for this?

Vinny

2014-11-15, 09:15 AM
(2014-11-15, 03:20 AM)martec Wrote: [ -> ]???

why not use User Stars or Group Image for this?

You with this can stay with star and user title, but i make a graphic title Wink
The user change a graphic title or title for the message write on forum.

ziuma

2014-11-19, 11:58 AM
(2014-11-14, 02:47 PM)Vinny Wrote: [ -> ]Now go to ACP and on Title of User make an HTML and in postbit is present an image and star!

where i find this? can you explain this?

admin control panel - configuration - and what?
Pages: 1 2
MyBB Community Forums > Resources > Tutorials > Add User Title HTML