Won't fix vB4 Import: Signature permission "Allow images" not followed

[Steffen]

Affected version

2.0.2

vBulletin allows saving a signature with BBCode even if its usage is forbidden. The [IMG] BBCode will just be ignored later on while rendering the signature.

XenForo automatically removes [IMG] BBCode while saving a signature. It does not seem to check whether [IMG] BBCode is allowed while rendering the signature (the renderer seems to accept whatever was saved).

The resulting problem is that users imported from vB4 can have a signature with [IMG] BBCode (which actually gets rendered) although its usage is forbidden.

The importer should automatically remove [IMG] BBCode from signatures if its usage is forbidden. Or the renderer should check the permissions.

PS: Maybe this affects other BBCodes, too?

 

[Chris D]

I actually disagree that we should make any changes here.

The not checking permissions in the renderer is a significant decision, mostly focused around performance -- we don't want to be doing that amount of processing for the same content that appears frequently on many pages. As is typical with a lot of things in XF, we prefer to do heavier lifting at save time, rather than run time.

Similarly, I don't think we should do that level of additional work in the importer, either.

So unfortunately this is going to have to be a post import thing that tidies itself up over time. One way to handle it would be to just remove all user signatures using the Batch update users tool. Another way would be to hide images using CSS. Finally another way would be to use a script to remove the signatures. Potentially you could even modify the "Post content find/replace" add-on to actually work on the signature field in profiles rather than the message field in posts.