Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
/html
#1
As indicated previously, the opportunity to use HTML in signatures gives people the chance to introduce malevolent code to the site that, in the best case, creates minor inconveniences. However, it is also possible to break the entire site layout or to even compromise people's security.

It is for this reason that I am forced to remove any HTML-priviledges that have existed and announce that post-formatting will, from this point onwards, exclusively be available via BBCode (the codes in [brackets]). The only exception are admins (aka. MH and I) who are advised to use it as little as possible (i.e. for demonstrations or announcements) and omit it whereever possible.

Now, some of you are particularly fond of using tables, myself included. Personally, I would have liked to add some BBCode for tables into the editor. By using tables, though, it is extremely easy to break the forum layout as well. In fact, looking at any previous "help, my post broke the forum layout" had some sort of wonky table that simply was not used correctly (most of the time, more closing than opening tags and the like). Writing regular expressions (the magical link that transforms BBCode into displayable HTML-Code inside your browser) for tables (and especially nested tables) is close to impossible, if not impossible by definition. For these reasons, you will not find an alternative solution to insert tables.

Not the typical "hey, new feature"-post but I guess it's important enough to get its own announcement, too. I guess now it's time to fix up some signatures ;)
Silverthorn
~ Breaking LFE since 2008 ~


» Gallery | » Sprites | » devArt
Reply
Thanks given by: MangaD , Hellblazer , Bamboori
#2
Ah well, I am pretty sure you've given this more thought, and you've pretty much considered a lot more than what it seems in what you've mentioned. But why limit it to regular expressions? Did you consider a normal string-manipulation approach? That might be simpler to get right than getting regular expressions to work. I happen to have a js snippet which parsed stuff like that flawlessly (as far as I have tested).

Edit: What are some examples that may cause a problem in the layout or become a security exploit? Are you concerned with modifying the core files? (I mean you've only recently updated to the new version)
[Image: signature.png]
A-Engine: A new beat em up game engine inspired by LF2. Coming soon

A-Engine Dev Blog - Update #8: Timeout

Reply
Thanks given by: Silverthorn
#3
(10-23-2015, 06:27 PM)Doctor A Wrote:  Did you consider a normal string-manipulation approach? That might be simpler to get right than getting regular expressions to work.

I think maybe writing a plugin (php) for tables bbcode might work. But I haven't had the time to take a look at how MyBB plugins work exactly, I'd like to hear BP's opinion on this. :)

(10-23-2015, 06:27 PM)Doctor A Wrote:  Edit: What are some examples that may cause a problem in the layout

Causing problems in the layout is very easy, example would be using <td> or <tr> outside a <table>, the results would look like this:

[tr][td]some text[/td][/tr]: http://s6.postimg.org/cl5u9r8rl/tr_td.png
[td]some text[/td]: http://s6.postimg.org/e1hcrwboh/image.png

This is actually possible to do at HFE right now, but I don't expect people to do it of course. :D

(10-23-2015, 06:27 PM)Doctor A Wrote:  or become a security exploit?

I'm actually curious about this too. As far as I know, scripts are not possible to use in MyBB. Iframes are possible (and therefore the scripts inside them), but shouldn't be hard to disable them. @Someone else explained it here. But somehow his argument didn't convince me. :p However, just to play it safe, I have to agree with the decision to disable html, less chances of something bad to happen.
[Image: random.php?pic=random]
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
The meaning of life is to give life a meaning.
Stop existing. Start living.
Reply
Thanks given by: Silverthorn , A-Man
#4
Did Flash get doomed as well?
Reply
Thanks given by:
#5
(10-23-2015, 07:04 PM)MangaD Wrote:  
(10-23-2015, 06:27 PM)Doctor A Wrote:  Did you consider a normal string-manipulation approach? That might be simpler to get right than getting regular expressions to work.

I think maybe writing a plugin (php) for tables bbcode might work. But I haven't had the time to take a look at how MyBB plugins work exactly, I'd like to hear BP's opinion on this. :)

Writing plugins is no issue, really. In fact, since the last major upgrade, I shifted almost all edits to a self-written plugin where feasible. Some edits, though, dig so deep into the core-files that it's not possible to reproduce it in a plugin-like manner.

Thing is that the post-parser is one of the slowest elements of the whole forums. In other words, it contributes mostly to the server load. Adding any additional elements to the parser would slow the speed down even further. In the concrete example of tables, there are two routes one could travel:

1) (bad) Use an HTML validator at the end of the parsing process. If it finds that the (parsed) post contains invalid elements, the post will be displayed as blank. I think this also how badly formed quotes are handled right now.
2) (good) Write an actual parser-enhancement that will attempt to fix badly formed html (hard). Rogue tr or td tags would be padded in additionally created tables.

Either way, this is so prone to errors that I'm afraid of ever tackling it. The more features of an html-table one tries to reproduce, the harder it gets (especially in the context of nested tables).

I honestly didn't think too much of string-manips because everything else in the post-parser works with regex but I am fairly certain that former is not going to be too much easier to handle, really. The greatest problem is that parsing tables itself is already challenging, but how is it going to handle broken code?


(10-23-2015, 07:04 PM)MangaD Wrote:  
(10-23-2015, 06:27 PM)Doctor A Wrote:  Edit: What are some examples that may cause a problem in the layout

Causing problems in the layout is very easy, example would be using < td> or < tr> outside a < table>, the results would look like this:

[tr][td]some text[/td][/tr]: http://s6.postimg.org/cl5u9r8rl/tr_td.png
[td]some text[/td]: http://s6.postimg.org/e1hcrwboh/image.png

This is actually possible to do at HFE right now, but I don't expect people to do it of course. :D

I also expected people not to use badly-formed code in their posts/signatures :p

@MangaD gave you a few, I just cannot find the thread where somebody (I think it was @Bamboori) slapped a whole bunch of html-code into a post and it completely messed up the theme. Must've been him, because there weren't that many people who used the eyecancer-green theme :p

Should've really compiled a list of that, I'm now just referring to my memory :/



(10-23-2015, 06:27 PM)Doctor A Wrote:  or become a security exploit?

The classic would be phishing. Add an iframe, scale it so that it fits the entire browser's window, and pretend to do something LFE-related whereas asking for sensitive data. Off the top of my head, there are quite a few ways to implement that, so there are at least 5x more. The chances that anybody falls for that are low but not zero which is inacceptable to me.

Second is providing semi-broken code. Stuff that will generally not work unless a specific context is provided. Something like There are so many ways to break things intentionally or unintentionally that it is really hard to cope for all of them.



edit: curses! Ninja'd once again! :ninjad:
(10-24-2015, 10:04 AM)Hellblazer Wrote:  Did Flash get doomed as well?

Yes. Embedding objects is per se dangerous from a security's standpoint, especially if flash/java are enabled in your browser.
Silverthorn
~ Breaking LFE since 2008 ~


» Gallery | » Sprites | » devArt
Reply
Thanks given by: A-Man , MangaD
#6
(10-24-2015, 10:07 AM)Blue Phoenix Wrote:  Writing plugins is no issue, really. In fact, since the last major upgrade, I shifted almost all edits to a self-written plugin where feasible. Some edits, though, dig so deep into the core-files that it's not possible to reproduce it in a plugin-like manner.

Well, after some time, people will rage for the bugs that will be associated with it. Remember the epic WYSIWYG saga, even though it was related to myBB.. It is simply better to keep it disabled, as there is almost no need for the feature to be implemented; will almost remain untouched for ages.. except for some fancy signatures.. e.e


(10-24-2015, 10:07 AM)Blue Phoenix Wrote:  Yes. Embedding objects is per se dangerous from a security's standpoint, especially if flash/java are enabled in your browser.

The reason why chrome officially ditched java. Well most websites will give up the rusty flash after HTML 5 is finalized i guess, most already did.
Reply
Thanks given by:
#7
(10-24-2015, 10:07 AM)Blue Phoenix Wrote:  1) (bad) Use an HTML validator at the end of the parsing process. If it finds that the (parsed) post contains invalid elements, the post will be displayed as blank. I think this also how badly formed quotes are handled right now.
2) (good) Write an actual parser-enhancement that will attempt to fix badly formed html (hard). Rogue tr or td tags would be padded in additionally created tables.
I would say the second one is not a good solution. I like the idea of fail fast, so whenever something is wrong it will throw up its hands and give a (hopefully useful) error message.

Also: https://xkcd.com/327/
Age ratings for movies and games (and similar) have never been a good idea.
One can learn a lot from reinventing wheels.
An unsound argument is not the same as an invalid one.
volatile in C++ does not mean thread-safe.
Do not make APIs unnecessarily asynchronous.
Make C++ operator > again
Trump is an idiot.
Reply
Thanks given by:




Users browsing this thread: 1 Guest(s)