1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Fixed Bypassing signature BB tags limit (like img, url, media, etc)

Discussion in 'Resolved Bug Reports' started by akaluth, Nov 11, 2014.

  1. akaluth

    akaluth New Member

    This is the English version of my July 29’th article, which you can read in Russian here. And sorry for my awesome English.

    1. Methods of BB-Tags limitation bypass:

    Bypassing images limit:
        [url=http://linktoanywhere.somewhere][img[media=youtube]123[/media]]image url[/img][/url]
        Method #1
        [url=http://linktoanywhere.somewhere][img[font=123][/font]]image url[/img][/url]
        Method #2
        [code][img]image url[/img]{/code] (replace { with [, required only there)
        Method #3
    2. But how?

    I think it’s because of xenforo’s bb codes parsing order. It looks like that:

    1. Counting img, url, email tags
    2. Merging count with permissions, if error - stop and write error message
    3. Removing prohibited tags (like media or font tags)
    4. Render BB to HTML
    Both methods is based on xenforo BB parser, that counts tags before render:

    Methods 1 and 2 is based on “breaking” tag “img” with limited “media” or “font” tags, that just will be removed before rendering (but after counting “img” tags). Third method similar, but tag content won’t get removed.

    3. Ok, but how to fix it?

    I’m not quite into PHP, so only jQuery fix and text description:

    1. Method one: count img, url and email tags while rendering them in html
    2. Limit images in signature via CSS
    3. Remove images and iframes from signature via jQuery: PasteBin
    Originally posted in my blog

    As example you can view my signature
  2. Mike

    Mike XenForo Developer Staff Member

    I have confirmed this. It's not a security issue in parsing or anything like that. It's specific to the behavior we have with signatures where, as a convenience, we try to remove disallowed tags rather than erroring. That leads to a situation where the result parses differently; you can still only use what is allowed by BB code, which is only "safe" code. It doesn't allow any code leaking or for them to do anything they couldn't do in a post.

    It does allow you to use the disallowed tags to potentially bypass that in a signature as demonstrated here. I am currently looking into a fix for the next release. If someone were to do this on your forum, it's really just them trolling and you should take moderation action just like someone bypassing the censoring rules.
    akaluth likes this.
  3. Mike

    Mike XenForo Developer Staff Member

    This is fixed now for the next release (and the next 1.3 release, if deemed necessary).

    It will do one pass where it strips any disabled tags. This is still done mostly to handle things like links being inserted automatically. If it detects that it stripped any code, it will do a second pass where it doesn't strip disabled tags and uses that for error detections.
    Rudy, akaluth and cclaerhout like this.
  4. akaluth

    akaluth New Member

    Nice, thank you!

Share This Page