Not Solved [Still unsolved]HTML in profile fields?
#5
Not Solved
(2014-12-19, 07:37 PM)Destroy666 Wrote:
(2014-12-19, 07:12 PM)Orianthi Wrote: I don't think allowing html, and css is a wise idea. You can import iframes, and scripts into the field thus making your site vulnerable.

If you enable the option I mentioned, using scripts is impossible since they're blocked by the parser.

Not true. The parser is a blacklist, not a whitelist. There are lots of ways to bypass it -- one of the reasons it was planned to use HTML Purifier in 1.8 but it doesn't look like it was implemented.
No longer involved in the MyBB project.
Reply


Messages In This Thread
RE: HTML in profile fields? - by Destroy666 - 2014-12-19, 07:06 PM
RE: HTML in profile fields? - by VoIP - 2014-12-19, 07:12 PM
RE: HTML in profile fields? - by Destroy666 - 2014-12-19, 07:37 PM
RE: HTML in profile fields? - by Nathan Malcolm - 2014-12-19, 07:46 PM
RE: HTML in profile fields? - by Leviathan - 2014-12-19, 08:21 PM

Forum Jump:


Users browsing this thread: 1 Guest(s)