• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Duplicate [Small suggestion] Allow text to wrap around a picture on the profile information page

dutchbb

Well-known member
#1
As you can see on my Information page here, it's not possible to wrap text around an image because there's no way to do it with BBCode yet. HTML is out of the question since it creates security issues. So my suggestion would be a 'wrap text around image' BBCode tag for the editor.
 
#2
As you can see on my Information page here, it's not possible to wrap text around an image because there's no way to do it with BBCode yet. HTML is out of the question since it creates security issues. So my suggestion would be a 'wrap text around image' BBCode tag for the editor.
Actually, if a developer knows what their doing - allowing HTML isn't a security issue; you just have to be smart around it. As a subtitution, a [wrap=x]<your_stuff_here[/wrap] would be a good idea. :)
 

dutchbb

Well-known member
#3
Ok. It was my understanding that it's not possible to make HMTL 100% safe, but I could be wrong since I'm no expert on this subject.
 
#4
Ok. It was my understanding that it's not possible to make HMTL 100% safe, but I could be wrong since I'm no expert on this subject.
It's not the HTML that can be "unsafe" per-say; it's allowing users to use it when dealing with PHP.

Say for example a user has this in their post:
Once the browser renders that user's post - if the <script> tag isn't stripped, the user will be redirected to http://my.malicious-site.com/steal_data.php. However, there's a PHP function - strip_tags - that allows you to remove all HTML tags from a specified string, or leave certain ones in (<b>, <i>, <u>, etc)
 

dutchbb

Well-known member
#5
Yes, I've actually experienced that one on my board once. vB 3.x (not sure about 4.x) does not have a secure HTML permission setting, so that was a problem.
 
#6
Yes, I've actually experienced that one on my board once. vB 3.x (not sure about 4.x) does not have a secure HTML permission setting, so that was a problem.
Honestly, I don't think it should be up to an admin to have a setting to either allow or remove HTML from posts; unless the forum software developers have millions of testers and can think of every possibly way HTML can be harmful, and try to prevent it. However, to an advanced forum administrator, having such a setting can be useful if they choose to utilize it.

In a sense, it's really only JavaScript that you have to worry about, not necessarily HTML.
 

dutchbb

Well-known member
#7
Honestly, I don't think it should be up to an admin to have a setting to either allow or remove HTML from posts; unless the forum software developers have millions of testers and can think of every possibly way HTML can be harmful, and try to prevent it. However, to an advanced forum administrator, having such a setting can be useful if they choose to utilize it.

In a sense, it's really only JavaScript that you have to worry about, not necessarily HTML.
For some forums that are not open to the public it's useful. Otherwise it's best to disable.

You seem to agree with me now that making the HTML permission safe would be hard if not impossible.

Not sure if this last statement is correct, I do not know enough about it to comment on that. I just know that javascript will be disabled if HTML is disabled, that what this was about.

Thanks for your comments, I'd like to hear from others now if you don't mind :)
 
#8
For some forums that are not open to the public it's useful. Otherwise it's best to disable.

You seem to agree with me now that making the HTML permission safe would be hard if not impossible.

Not sure if this last statement is correct, I do not know enough about it to comment on that. I just know that javascript will be disabled if HTML is disabled, that what this was about.

Thanks for your comments, I'd like to hear from others now if you don't mind :)
Honestly, the amount of safety something has or lacks depends on how well it is coded and how much testing is done, and how far a developers mind can think ahead.
 

Brogan

XenForo moderator
Staff member
#9
Just create a BBCode on your own forum and then anyone can use it.

I use float left and right on my site.
 

Brogan

XenForo moderator
Staff member
#11
Why don't you post a how-to on creating your own BBcode in the resources forum?
No problem, although I'm not sure how BB Code is created in XenForo, or even if it's possible to do it via the ACP.

I'm more than happy to post all the actual BB Code and corresponding HTML replacement code though.
 

James

Well-known member
#13
It's not the HTML that can be "unsafe" per-say; it's allowing users to use it when dealing with PHP.

Say for example a user has this in their post:


Once the browser renders that user's post - if the <script> tag isn't stripped, the user will be redirected to http://my.malicious-site.com/steal_data.php. However, there's a PHP function - strip_tags - that allows you to remove all HTML tags from a specified string, or leave certain ones in (<b>, <i>, <u>, etc)
strip_tags with exceptions isn't good (personally) because in exceptions, javascript events can be utilised inline!
 

Peggy

Well-known member
#16
No problem, although I'm not sure how BB Code is created in XenForo, or even if it's possible to do it via the ACP.

I'm more than happy to post all the actual BB Code and corresponding HTML replacement code though.
I'm not sure either, but I'm pretty sure we can use it in the pages feature. At least I hope so!
 
#17
strip_tags with exceptions isn't good (personally) because in exceptions, javascript events can be utilised inline!
That's a completely different case of a script being f*cked up beyond all recognition or repair. It can only be done in certain cases, and if a developer isn't aware of the certain cases - they should be careful about cross-threading HTML allowance and denials.