1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Duplicate [Small suggestion] Allow text to wrap around a picture on the profile information page

Discussion in 'Closed Suggestions' started by dutchbb, Sep 18, 2010.

  1. dutchbb

    dutchbb Well-Known Member

    As you can see on my Information page here, it's not possible to wrap text around an image because there's no way to do it with BBCode yet. HTML is out of the question since it creates security issues. So my suggestion would be a 'wrap text around image' BBCode tag for the editor.
     
    CyberAP likes this.
  2. x_Stricken_x

    x_Stricken_x Active Member

    Actually, if a developer knows what their doing - allowing HTML isn't a security issue; you just have to be smart around it. As a subtitution, a [wrap=x]<your_stuff_here[/wrap] would be a good idea. :)
     
    ked38 likes this.
  3. dutchbb

    dutchbb Well-Known Member

    Ok. It was my understanding that it's not possible to make HMTL 100% safe, but I could be wrong since I'm no expert on this subject.
     
  4. x_Stricken_x

    x_Stricken_x Active Member

    It's not the HTML that can be "unsafe" per-say; it's allowing users to use it when dealing with PHP.

    Say for example a user has this in their post:
    Once the browser renders that user's post - if the <script> tag isn't stripped, the user will be redirected to http://my.malicious-site.com/steal_data.php. However, there's a PHP function - strip_tags - that allows you to remove all HTML tags from a specified string, or leave certain ones in (<b>, <i>, <u>, etc)
     
  5. dutchbb

    dutchbb Well-Known Member

    Yes, I've actually experienced that one on my board once. vB 3.x (not sure about 4.x) does not have a secure HTML permission setting, so that was a problem.
     
  6. x_Stricken_x

    x_Stricken_x Active Member

    Honestly, I don't think it should be up to an admin to have a setting to either allow or remove HTML from posts; unless the forum software developers have millions of testers and can think of every possibly way HTML can be harmful, and try to prevent it. However, to an advanced forum administrator, having such a setting can be useful if they choose to utilize it.

    In a sense, it's really only JavaScript that you have to worry about, not necessarily HTML.
     
  7. dutchbb

    dutchbb Well-Known Member

    For some forums that are not open to the public it's useful. Otherwise it's best to disable.

    You seem to agree with me now that making the HTML permission safe would be hard if not impossible.

    Not sure if this last statement is correct, I do not know enough about it to comment on that. I just know that javascript will be disabled if HTML is disabled, that what this was about.

    Thanks for your comments, I'd like to hear from others now if you don't mind :)
     
  8. x_Stricken_x

    x_Stricken_x Active Member

    Honestly, the amount of safety something has or lacks depends on how well it is coded and how much testing is done, and how far a developers mind can think ahead.
     
  9. Brogan

    Brogan XenForo Moderator Staff Member

    Just create a BBCode on your own forum and then anyone can use it.

    I use float left and right on my site.
     
  10. Peggy

    Peggy Well-Known Member

    Why don't you post a how-to on creating your own BBcode in the resources forum?
     
  11. Brogan

    Brogan XenForo Moderator Staff Member

    No problem, although I'm not sure how BB Code is created in XenForo, or even if it's possible to do it via the ACP.

    I'm more than happy to post all the actual BB Code and corresponding HTML replacement code though.
     
  12. dutchbb

    dutchbb Well-Known Member

    I have that too, I just thought this should be default and available here:)
     
  13. James

    James Well-Known Member

    strip_tags with exceptions isn't good (personally) because in exceptions, javascript events can be utilised inline!
     
  14. Brogan

    Brogan XenForo Moderator Staff Member

  15. dutchbb

    dutchbb Well-Known Member

    Ah cool thanks.
     
  16. Peggy

    Peggy Well-Known Member

    I'm not sure either, but I'm pretty sure we can use it in the pages feature. At least I hope so!
     
  17. x_Stricken_x

    x_Stricken_x Active Member

    That's a completely different case of a script being f*cked up beyond all recognition or repair. It can only be done in certain cases, and if a developer isn't aware of the certain cases - they should be careful about cross-threading HTML allowance and denials.
     

Share This Page