UBB.Developers Forums General Discussion Suggestions and Feedback Javascript Wide Open?

I'm kind of shocked beyond belief that the program comes defaulted "out of the box" to allow users to enter javascript. The full range of potential mischief seems to be allowed if HTML's turned on.

It's unbelievable. There are other security issues with this program, and I hope Rick can spend time shoring stuff up. UBBT has lots and lots and lots of features already.


JIM

The usual response is to turn off html and use markup, that's what it's there for. However it's so simple to write an allowable html filter you have to wonder why they don't.

I wrote mine the day someone started embedding their own background images in my forum

or, for goodness sake, at least ship the script with HTML defaulted to "off" if you're not going to write the allowable html filter.

Security issues re: this program frighten me. Not enough consideration has been paid. It already had the best features of any bbs program three years ago. It's time to attend to infrastructure, security, scalability.

?

When you create your forums you set whether or not you want html or ubbcode on. It's possible in an read-only forum you might want full control of the html/javascript.

I do not follow you on the security issues thoughts. Believe me, we're the subject of "security testing" on a mostly daily basis

posted by AllenAyres:

---

?

When you create your forums you set whether or not you want html or ubbcode on. It's possible in an read-only forum you might want full control of the html/javascript.

---

So anticipating this extremely unlikely contingency, the product ships in "full-mayhem-activated" position? Without even the standard step of an allowable html filter which the, like, two people who'd want javascript allowed could easily override?



"I do not follow you on the security issues thoughts"

I'm not an expert, and am unable to provide examples (though I will as we find them). But the fellow implementing the software on my site's a major tech pooba (former NASDAQ company CTO, former project lead at Apple), and he was dumbfounded by the javascript issue and what he considered, generally, a slipshod approach to security.

I'll, of course, share what we learn as we learn it (and all tweaks as we tweak).

JIm

Nothing is shipped "full-mayhem-activated" You have to choose that you want html on UBBCode too for that matter

Apologies if that's the case. I was told differently.

Nonetheless, the absence of an allowable html filter is a bad, bad idea. I'd never have imagined javascript to be invited in with HTML. The unlikely contingency you mentioned doesn't justify this gap.

I can't think of an occasion you'd ever want html on in a forum where more than admins make read-only announcements I've never turned html on in any forum I've adminned

I just created a test forum with 6.1b1. I didn't make any selections for HTML or markup, and they both defaulted to "off".

The only problem is that neither of the radio buttons is "checked" when the create-forum form is displayed, which is not really the proper way to use radio buttons.

Yeah, it really should have 2 for on and off for each selection

Guys, sometimes I stumble on something really simple that works for me...

I just used the "badwords" filter to specify that "script" and "iframe" are naughty words and I've never had a problem.

Of course, I don't have any boards where my members typically post any code, so the missing words have never posed a problem for my site. I suppose if my members started talking about a movie script they'd be surprised to see it as [censored] but that hasn't happened yet.

It would be kind of nice to just have scripting and iframes disabled though.

A better solution in a non-code-posting forum would be adding "<script" and "<iframe" to the badwords, since that doesn't block out any instances of normal English language, but does block the html code.