Humor will not be tolerated!! -Portia

I have HTML enabled in my profile, but whenever I'm posting it shows as being OFF and it doesn't work when I try to post with HTML tags. Is there a way to fix this? Or am I misunderstanding something?

Hmm. Let me do some checking...

...yep. On the Admin Panel HTML is set to 'off,' and your preferences will be overridden. Is there any good reason to not allow HTML? If not, I'll change it.

The only argument I can think of against HTML is to block obnoxious HTML like <marquee> and <blink>. I just recently wanted to do a superscript and [sup] doesn't work.

Allowing people to use unrestricted HTML actually creates the possibility for all kinds of subtle, nasty attacks that can affect people who come to the site. Cross-site scripting (often abbreviated XSS) is what it's called. I'd recommend just using a whitelist of certain HTML tags, if you allow HTML at all.

To see how to enable just certain HTML tags in phpBB, see #25 here. For some examples of tricky XSS code, see here (this won't make much sense without some knowledge of the basics of XSS). (For the record, enabling the HTML superscript tag would be quite harmless.)

Thanks, Laser Jock. I'll work on enabling a few HTML tags.

If you didn't want to enable the tags, you could write the site code to accept [sup] for superscript and [sub] for subscript. And something for a few symbols could be nice, too, though those can be copied and pasted (like &mdash; and &ndash; ).

I was thinking just the other day that it would be nice to have bbcode to link to questions, like <^(number)> does on the board itself. Shouldn't be too difficult, either. Maybe I'll try to whip something up.

Assuming that our admins can add new BBcodes. I understand they don't have complete control over the board...

dzhonatan wrote:I was thinking just the other day that it would be nice to have bbcode to link to questions, like <^(number)> does on the board itself. Shouldn't be too difficult, either. Maybe I'll try to whip something up.

Assuming that our admins can add new BBcodes. I understand they don't have complete control over the board...

We'll have to talk, DZ. Maybe we can work something out (though, as usual, I think we admins are pretty limited).

In the meantime, it is definitely not out of my abilities to put in allowed html codes, if you tell me what they are. I'll go ahead and put in sup and sub. Anything else?

C is for wrote:In the meantime, it is definitely not out of my abilities to put in allowed html codes, if you tell me what they are. I'll go ahead and put in sup and sub. Anything else?

There are lists of safe HTML tags, but I'm thinking it'd be less complicated for people to remember what is and isn't allowed if you don't add a couple dozen new tags. Of course, that's up to you; I'd be happy to track down such a list if you're interested in all of them, but I don't think most would be necessary. By request (and on a safe list) seems like a good approach.

I really don't see a point in putting in html codes no one will use, so I think just if anyone has one they really would like to have, we'll put it in.

While we're here...does "a href" have any special usage that "url" does not? Just curious.

You can use it for internal links, i.e. to jump to different parts of the page. You just designate the target with <a name="(name here)"></a> But I can't see us needing that in a message board, so I say stick with [url]. Along with not enabling <blink> and <marquee>, I'd recommend against <font> (just so we don't end up with annoying colors and font faces).

Hm, something just occurred to me. When you specify what HTML tags are allowed, can you also specify what attributes are allowed in the tags? If not, even fairly simple tags (like <sup>) could be abused if you can also specify, say, a style attribute. (As an example, though this wouldn't abuse anything, here's ^{with a style attribute: <sup style="font-weight:bold">this text would be bold as well as superscript}.)

There are CSS-based attacks that can occur through the style tag, and you can even embed JavaScript in CSS (which blows the door wide open).

So...does anyone know if phpBB has a way of protecting against this, other than disallowing all HTML? (I'm thinking you could disallow it in a BBCode-style [sup] tag, if dzhonatan whips one up, but other than that?)

(Oh, and something similar occurs with the <a> tag vs. the [url] tag: with <a>, there are gobs of optional attributes that aren't available with [url], some of which could be abused. The reason for [url] is mainly, I think, to strip out those dangerous attributes. The same goes for some of the other BBCode tags.)

I can't find any options for turning HTML on or off on the little test board I set up for myself, but if there isn't an option for limiting what attributes can be used, and our admins are able to enter new bbcodes, it's trivially easy to write a bbcode to do it.