We are upgrading our forum software!

[Exterminator]

If I want to post HTML, I do it like this:

<html><head><script>function x() { alert("Hello") }</script></head><body onload="x()"><b>Hey</b></body></html>

If I want to do some remote XSS I might do something like this:

<b/<script>alert("Hello")</script>

.. What.. No message box? Damn it Jack! How dare you not allow me to hack MalwareTips by letting us use HTML tags in our posts! http://malwaretips.com/styles/MalwareTips/xenforo/clear.pnghttp://malwaretips.com/styles/MalwareTips/xenforo/clear.png Why can't we have an admin who doesn't give a damn about security and let's us all do what we want.... http://malwaretips.com/styles/MalwareTips/xenforo/clear.png

^ Ps. I was being sarcastic, Jack's a great (and responsible) admin, hence the site hasn't been hacked (to my knowledge).

Even I ,being the prehistoric sales expert(term of endearment given to me by a member) that I am, know that by allowing this you are putting your site at risk. Why would anybody allow HTML posting to its general membership. Those that suggest this have obviously never administrated or were an owner of a site. Suggesting that other platforms make this simpler is not a viable suggestion either. Personally I feel Xenforo to just as or even more secure than others. I have had VBulletin hacked. We have not even been on Xenforo for a year.
There is no need for this anyway,when you have a full compliment of options available in the text editor that we have.

 

[Cowpipe]

Why would anybody allow HTML posting to its general membership.....

Perhaps around 6 or 7 years ago now I was a member of a very popular question and answer site (like Yahoo answers but more informal). Anyway, part way along they decided to introduce some forum functionality, private messaging, user profiles and of course, basic html formatting options. Clearly somebody hadn't read any tutorials on sanitizing php...

They only allowed three tags. <b> <i> and <u>. One of my favourite pasttimes was hijacking threads by placing malformed html into my posts. Eg: <b>Hello<b/>. This was parsed as being a valid tag due to the presence of the closing slash in the second tag, yet the integrity was not checked, and as such the entire page containing the malformed tag would appear in bold, italics or underlined, whatever I felt like. I called it stylisation terrorism

Anyway, after about a week and a half of literally every thread being hijacked by me, they patched it and sent me a warning not to keep messing about with the html. Of course, that's like telling a hacker "If you log into my account again I'll just change the password ok!"...

A few weeks later, they added the ability to add in images using <img src=""></img>. Bad move. Feeling incredibly annoyed at being 'warned' for pressuring them to fix an obvious bug which could have led to xss attacks, I went one step further.

<img src=""<?php echo The security here stinks! Me and my password are outta here; ?>>

Rather than thread hijack, I just put that code in my signature and left the site, head held high. And that my friends, is why you should never allow HTML tags directly into your source-code.

 

[Cats-4_Owners-2]

Perhaps around 6 or 7 years ago now I was a member of a very popular question and answer site (like Yahoo answers but more informal). Anyway, part way along they decided to introduce some forum functionality, private messaging, user profiles and of course, basic html formatting options. Clearly somebody hadn't read any tutorials on sanitizing php...

They only allowed three tags. <b> <i> and <u>. One of my favourite pasttimes was hijacking threads by placing malformed html into my posts. Eg: <b>Hello<b/>. This was parsed as being a valid tag due to the presence of the closing slash in the second tag, yet the integrity was not checked, and as such the entire page containing the malformed tag would appear in bold, italics or underlined, whatever I felt like. I called it stylisation terrorism

Anyway, after about a week and a half of literally every thread being hijacked by me, they patched it and sent me a warning not to keep messing about with the html. Of course, that's like telling a hacker "If you log into my account again I'll just change the password ok!"...

A few weeks later, they added the ability to add in images using <img src=""></img>. Bad move. Feeling incredibly annoyed at being 'warned' for pressuring them to fix an obvious bug which could have led to xss attacks, I went one step further.

<img src=""<?php echo The security here stinks! Me and my password are outta here; ?>>

Rather than thread hijack, I just put that code in my signature and left the site, head held high. And that my friends, is why you should never allow HTML tags directly into your source-code.

Cowpipe, it is a comforting relief we are all gladdened by to know that you are on our side!

 

[Cowpipe]

Cowpipe, it is a comforting relief we are all gladdened by to know that you are on our side!

And a fine pleasure it is, to have you as an ally Cats-

 

[Cats-4_Owners-2]

And a fine pleasure it is, to have you as an ally Cats-

*smiling* Thank you! I much prefer being an '..ally (named) Cats-' than one of those Alley dwelling Cats!

 

[NullPointerException]

And a fine pleasure it is, to have you as an ally Cats-

I am not a hacker, so unfortunately I didn't get a word of what you said.

 

[NullPointerException]

PHP's syntax is horrible, HTML is too basic, and MySQL is a brain-duck (yes, a brain-duck) for me. That's why I am the good guy.

 

[Cowpipe]

PHP's syntax is horrible, HTML is too basic, and MySQL is a brain-duck (yes, a brain-duck) for me. That's why I am the good guy.

Hahaha, I think that is my favourite reason ever for somebody not becoming a hacker

And the second reason is the Elder Scrolls is my favorite video game series ; in fact one of my most favorite fictional things ever. So..
Good luck finding the Easter egg..

Not sure what i would do. I would just be lost and sulking.

Hi! I usually just fix me a fresh bourbon and water. Call my ISP and threaten them with a law suite. I tell them I was in the middle of a million dollar deal. I know when my ISP is down even if I'm not online. My seniors call me and say "Computer man, I can't get on Facebook"
I have Sudden Link and they know who I am and so they don't take me very seriously. If I get a new person at Sudden Link, I like to rass them about their message to unplug the modem and wait, then plug it back in. They know when we're down, and now they usually great me with "We're having trouble in your area and we have people working on it" I then make then listen to me for at least 5 minutes. Usually have a new joke for them.They are really great people and they know better than try to snow me! I take this time to give them a bad time about my down load speed and why they have so many outages. Also tell them I would like a little country music in stead of the elevator music they play while I'm on hold.
PS I enjoyed your thread! Good to have a little fun and not have to work on the forum all the time.
You talk about hard workers. Our malware fighters are busy all the time. I salute them for their hard work and dedication to MT.
They clean more infected PC's in a week than all the other forums clean in a year. Nice work TwinHeadedEagal and Argus!!

I love the idea for a Bourbon, but just skip the water and my drink of choice is ready.