MyBB Community Forums Development MyBB 1.8 Development 1.8 Bugs and Issues Pushed v
[Pushed] Custom Profile Field descriptions HTML codes don't show up properly in UserCP

Threaded Mode
[Pushed] Custom Profile Field descriptions HTML codes don't show up properly in UserCP
luiz.schmidt Offline
Posts: 18
Threads: 2
Joined: Apr 2015
Reputation: 0
#1
2015-06-27, 01:24 PM
I've included some HTML in Custom Profile Field descriptions to give instructions to users filling the registration form (bold, red, underline etc). But when a user later edits his/her profile in UserCP the HTML doesn't show up, just plain text (such as "Please type your <b>full</b> name")
Find
Reply
StefanT Offline

Former Staff
Posts: 4,216
Threads: 112
Joined: Jan 2006
Reputation: 109
#2
2015-06-27, 04:24 PM
Using HTML in profile field descriptions is not supported.
[Image: banner.png]
Website Find
Reply
Jones H Away

Former Staff
Posts: 2,833
Threads: 141
Joined: Jan 2012
Reputation: 86
#3
2015-06-27, 04:28 PM
Still a bug if its not escaped on the registration page.
Support PMs will be ignored!
Website Find
Reply
Jones H Away

Former Staff
Posts: 2,833
Threads: 141
Joined: Jan 2012
Reputation: 86
#4
2015-06-27, 04:30 PM
Hi,

Thank you for your report. We have pushed this issue to our Github repository for further analysis where you can track our commits and progress with fixing this bug. Discussions regarding this bug may also take place there too.

Follow this link to visit the issue on Github: https://github.com/mybb/mybb/issues/2091

Thanks for contributing to MyBB!

Regards,
The MyBB Group
Website Find
Reply
luiz.schmidt Offline
Posts: 18
Threads: 2
Joined: Apr 2015
Reputation: 0
#5
2015-06-30, 07:58 PM
Damn, should have kept my mouth shut :-)

Any specific reason not to accept HTML on field descriptions? It's hard to make users follow instructions during registration, you need to call their attention to field rules somehow
Find
Reply
Jones H Away

Former Staff
Posts: 2,833
Threads: 141
Joined: Jan 2012
Reputation: 86
#6
2015-06-30, 08:35 PM
Mostly security related: escape as much as possible and only allow HTML where really necessary. There are quite some fields where it can be helpfull but we also get a lot of reports as soon as something isn't escaped. That's why we usually discuss whether users would benefit from unescaped data and in that specific case it was decided to properly escape it. Also sometimes (like here) those descissions happened when a feature was included but later when that feature is extended the one coding it writes it the other way. And then it's simply "what is done in more places".
Support PMs will be ignored!
Website Find
Reply
groovybluedog Offline
Posts: 378
Threads: 95
Joined: Dec 2009
Reputation: 2
#7
2016-08-10, 12:55 AM
I wish this functionality was in there! I wanted to link a profile field description to a help topic but with both bbcode and HTML disabled, I have to find another way to convey loads of text in a tiny field Confused
MyBB Extras = Nope.
Find
Reply
laie_techie Offline
Posts: 2,064
Threads: 33
Joined: Nov 2005
Reputation: 37
#8
2016-08-12, 06:17 PM
I don't see a major security risk in allowing HTML in a field description as it will be admin entering the value; I see major issues allowing HTML in the user's value / response.

I also noted that somewhat recently HTML is being escaped in security questions. Admin input should be (mostly) trusted, while user input needs to be vetted.
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)