[Pushed] Custom Profile Field descriptions HTML codes don't show up properly in UserCP
#1
I've included some HTML in Custom Profile Field descriptions to give instructions to users filling the registration form (bold, red, underline etc). But when a user later edits his/her profile in UserCP the HTML doesn't show up, just plain text (such as "Please type your <b>full</b> name")
Reply
#2
Using HTML in profile field descriptions is not supported.
[Image: banner.png]
Reply
#3
Still a bug if its not escaped on the registration page.
Support PMs will be ignored!
Reply
#4
Hi,

Thank you for your report. We have pushed this issue to our Github repository for further analysis where you can track our commits and progress with fixing this bug. Discussions regarding this bug may also take place there too.

Follow this link to visit the issue on Github: https://github.com/mybb/mybb/issues/2091

Thanks for contributing to MyBB!

Regards,
The MyBB Group
Reply
#5
Damn, should have kept my mouth shut :-)

Any specific reason not to accept HTML on field descriptions? It's hard to make users follow instructions during registration, you need to call their attention to field rules somehow
Reply
#6
Mostly security related: escape as much as possible and only allow HTML where really necessary. There are quite some fields where it can be helpfull but we also get a lot of reports as soon as something isn't escaped. That's why we usually discuss whether users would benefit from unescaped data and in that specific case it was decided to properly escape it. Also sometimes (like here) those descissions happened when a feature was included but later when that feature is extended the one coding it writes it the other way. And then it's simply "what is done in more places".
Support PMs will be ignored!
Reply
#7
I wish this functionality was in there! I wanted to link a profile field description to a help topic but with both bbcode and HTML disabled, I have to find another way to convey loads of text in a tiny field Confused
MyBB Extras = Nope.
Reply
#8
I don't see a major security risk in allowing HTML in a field description as it will be admin entering the value; I see major issues allowing HTML in the user's value / response.

I also noted that somewhat recently HTML is being escaped in security questions. Admin input should be (mostly) trusted, while user input needs to be vetted.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)