• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Lack of interest Any reason why Notices allow HTML?

arn

Active member
#1
Was curious about this. Is there a reason why Notices allow HTML?

Seems a potential security hole. This is the vector through which Ubuntu Forums as well as MacRumors forums were hacked under vB. Moderator account was broken into (shared/weak passwords), and an HTML announcement was posted. That HTML announcement then allowed the hacker to escalate Admin access by use of an external javascript.

I realize in XF the notices are an admin priviledge, but you could still imagine giving some admins notice access, but not other access.

I guess my suggestion would be to not allowed HTML in notices, or have it disable-able.

arn
 

Brogan

XenForo moderator
Staff member
#4
HTML is allowed in other areas such as page nodes, custom bb code, etc.

If you're going to remove it from notices then logically you would have to remove it from everywhere, which would drastically reduce the functionality of the software.