We are upgrading our forum software!

Status
Not open for further replies.

Exterminator

Super Moderator
MalwareTips Staff
Joined
Oct 23, 2012
Messages
12,280
OS
Windows 10
Antivirus
Kaspersky
If I want to post HTML, I do it like this:

Code:
<html><head><script>function x() { alert("Hello") }</script></head><body onload="x()"><b>Hey</b></body></html>
If I want to do some remote XSS I might do something like this:

<b/<script>alert("Hello")</script>

.. What.. No message box? Damn it Jack! How dare you not allow me to hack MalwareTips by letting us use HTML tags in our posts!
Why can't we have an admin who doesn't give a damn about security and let's us all do what we want....


^ Ps. I was being sarcastic, Jack's a great (and responsible) admin, hence the site hasn't been hacked (to my knowledge).
Even I ,being the prehistoric sales expert(term of endearment given to me by a member) that I am, know that by allowing this you are putting your site at risk. Why would anybody allow HTML posting to its general membership. Those that suggest this have obviously never administrated or were an owner of a site. Suggesting that other platforms make this simpler is not a viable suggestion either. Personally I feel Xenforo to just as or even more secure than others. I have had VBulletin hacked. We have not even been on Xenforo for a year.
There is no need for this anyway,when you have a full compliment of options available in the text editor that we have.
 
Last edited:

Cowpipe

New Member
Joined
Jun 16, 2014
Messages
688
Why would anybody allow HTML posting to its general membership.....
Perhaps around 6 or 7 years ago now I was a member of a very popular question and answer site (like Yahoo answers but more informal). Anyway, part way along they decided to introduce some forum functionality, private messaging, user profiles and of course, basic html formatting options. Clearly somebody hadn't read any tutorials on sanitizing php...

They only allowed three tags. <b> <i> and <u>. One of my favourite pasttimes was hijacking threads by placing malformed html into my posts. Eg: <b>Hello<b/>. This was parsed as being a valid tag due to the presence of the closing slash in the second tag, yet the integrity was not checked, and as such the entire page containing the malformed tag would appear in bold, italics or underlined, whatever I felt like. I called it stylisation terrorism :p

Anyway, after about a week and a half of literally every thread being hijacked by me, they patched it and sent me a warning not to keep messing about with the html. Of course, that's like telling a hacker "If you log into my account again I'll just change the password ok!"...

A few weeks later, they added the ability to add in images using <img src=""></img>. Bad move. Feeling incredibly annoyed at being 'warned' for pressuring them to fix an obvious bug which could have led to xss attacks, I went one step further.

<img src=""<?php echo The security here stinks! Me and my password are outta here; ?>>

Rather than thread hijack, I just put that code in my signature and left the site, head held high. And that my friends, is why you should never allow HTML tags directly into your source-code.
 
Last edited:

Cats-4_Owners-2

Level 37
Trusted
Joined
Dec 4, 2013
Messages
2,667
OS
Windows 10
Antivirus
Kaspersky
Perhaps around 6 or 7 years ago now I was a member of a very popular question and answer site (like Yahoo answers but more informal). Anyway, part way along they decided to introduce some forum functionality, private messaging, user profiles and of course, basic html formatting options. Clearly somebody hadn't read any tutorials on sanitizing php...

They only allowed three tags. <b> <i> and <u>. One of my favourite pasttimes was hijacking threads by placing malformed html into my posts. Eg: <b>Hello<b/>. This was parsed as being a valid tag due to the presence of the closing slash in the second tag, yet the integrity was not checked, and as such the entire page containing the malformed tag would appear in bold, italics or underlined, whatever I felt like. I called it stylisation terrorism :p

Anyway, after about a week and a half of literally every thread being hijacked by me, they patched it and sent me a warning not to keep messing about with the html. Of course, that's like telling a hacker "If you log into my account again I'll just change the password ok!"...

A few weeks later, they added the ability to add in images using <img src=""></img>. Bad move. Feeling incredibly annoyed at being 'warned' for pressuring them to fix an obvious bug which could have led to xss attacks, I went one step further.

<img src=""<?php echo The security here stinks! Me and my password are outta here; ?>>

Rather than thread hijack, I just put that code in my signature and left the site, head held high. And that my friends, is why you should never allow HTML tags directly into your source-code.
Cowpipe, it is a comforting relief we are all gladdened by to know that you are on our side!:p:D
 
Last edited:

Cowpipe

New Member
Joined
Jun 16, 2014
Messages
688
PHP's syntax is horrible, HTML is too basic, and MySQL is a brain-duck (yes, a brain-duck) for me. That's why I am the good guy.
Hahaha, I think that is my favourite reason ever for somebody not becoming a hacker :p :D

And the second reason is the Elder Scrolls is my favorite video game series ; in fact one of my most favorite fictional things ever. So..
Good luck finding the Easter egg..

Not sure what i would do. I would just be lost and sulking. :(

Hi! I usually just fix me a fresh bourbon and water. Call my ISP and threaten them with a law suite. I tell them I was in the middle of a million dollar deal. I know when my ISP is down even if I'm not online. My seniors call me and say "Computer man, I can't get on Facebook"
I have Sudden Link and they know who I am and so they don't take me very seriously. If I get a new person at Sudden Link, I like to rass them about their message to unplug the modem and wait, then plug it back in. They know when we're down, and now they usually great me with "We're having trouble in your area and we have people working on it" I then make then listen to me for at least 5 minutes. Usually have a new joke for them.They are really great people and they know better than try to snow me! I take this time to give them a bad time about my down load speed and why they have so many outages. Also tell them I would like a little country music in stead of the elevator music they play while I'm on hold.:):)
PS I enjoyed your thread! Good to have a little fun and not have to work on the forum all the time.:p:)
You talk about hard workers. Our malware fighters are busy all the time. I salute them for their hard work and dedication to MT.
They clean more infected PC's in a week than all the other forums clean in a year. Nice work TwinHeadedEagal and Argus!!
I love the idea for a Bourbon, but just skip the water and my drink of choice is ready. :D:D
 
Last edited by a moderator:
Status
Not open for further replies.

Similar Threads

Similar Threads

Forgot your password?