tenants
Well-known member
yup, there are forums (with this plugin installed) that allow any registered user to edit the HTML << avoid doing this at all costs
Can someone confirm that there is a server side check for access to edit / add html? (use a third part tool and look at the requests being sent). I'm currently on a notebook with a low res so I dont have access to many tools
If there is no server side check, then simply hiding the option to edit the HTML is not enough
I have nothing against this plugin, in fact I love it (but I'm still getting my head around it) - but there needs to be a big warning to let forum admin know to never let anyone (even your grandmother) edit/add html or live script on your site.
- assume all user content is malicious
- (my new one for the day) assume all plug-in users are daft / just haven’t realized..yet
Can someone confirm that there is a server side check for access to edit / add html? (use a third part tool and look at the requests being sent). I'm currently on a notebook with a low res so I dont have access to many tools
If there is no server side check, then simply hiding the option to edit the HTML is not enough
I have nothing against this plugin, in fact I love it (but I'm still getting my head around it) - but there needs to be a big warning to let forum admin know to never let anyone (even your grandmother) edit/add html or live script on your site.
- assume all user content is malicious
- (my new one for the day) assume all plug-in users are daft / just haven’t realized..yet