cclaerhout
Well-known member
You can't forbid someone to use a tag, but you can use a different display per user as describe above.I think he was looking for more along the lines of being able to restrict who can actually use the BBCode tags, not who can view their output.
Which is what I'd like as well...
Thanks for that report !Warning: incorrect handling of user-passed info will lead to exploits!
Example using just spoiler:
Code:[spoiler=hi" onclick="alert(document.cookie);" nope="][/spoiler]
Example using "Box" and "Spoiler" together to create a trigger that a user is likely to activate:
Code:[box=50" onclick="alert(document.cookie);" nope=][spoiler]Hax[/box][/spoiler]
Find this code in library/KingK/BbCodeManager/BbCode/Formatter/default.php:
Code:
<input id="spoiler_' . $tagId . '" class="button" type="button" value="' . $buttonText . '" onclick="]
Code:
<input id="spoiler_' . $tagId . '" class="button" type="button" value="' . htmlspecialchars($buttonText) . '" onclick="
I'm going to check my bbcodes after this ^^