Lack of interest Any reason why Notices allow HTML?

[arn]

Was curious about this. Is there a reason why Notices allow HTML?

Seems a potential security hole. This is the vector through which Ubuntu Forums as well as MacRumors forums were hacked under vB. Moderator account was broken into (shared/weak passwords), and an HTML announcement was posted. That HTML announcement then allowed the hacker to escalate Admin access by use of an external javascript.

I realize in XF the notices are an admin priviledge, but you could still imagine giving some admins notice access, but not other access.

I guess my suggestion would be to not allowed HTML in notices, or have it disable-able.

arn

 

[Xon]

You need to be an administrator to post notices.

 

[Jeremy]

A lot of areas in the ACP allow HTML. If an attacker is able to get in and post them, likely, they already have the access they need to deface or ruin your site.

 

[Paul B]

HTML is allowed in other areas such as page nodes, custom bb code, etc.

If you're going to remove it from notices then logically you would have to remove it from everywhere, which would drastically reduce the functionality of the software.

 

[Martok]

I realize in XF the notices are an admin priviledge, but you could still imagine giving some admins notice access, but not other access.

This is one of the reasons I like and use the Notifications add-on

https://xenforo.com/community/resources/notifications.870/

My moderators can access this from the front end, so no back end access required.