Was the "Edit source" button removed by configuration?

[MXXIV]

In the old version of forums, one could edit the post source code by clicking the on/off button. This button is now gone. I am asking whether it was configured by forum admins or if that was simply removed in new version.

Of course, I can still hack any code in using firebug (XSS style), but it's a bit tedious.

[Connall]

There should be a button in the top left of the editor that says "Source" when writing a post, or making a comment. Is it not there?

[MXXIV]

I tried to turn ad-block off but still nothing:

You see the button in your UI? Maybe it's moderator only...

[Connall]

8 minutes ago, MXXIV said:

I tried to turn ad-block off but still nothing:

You see the button in your UI? Maybe it's moderator only...

Hmm... maybe. Let me go check to see what the options say.

[Connall]

It looks like the source button now just equates to being a way to input raw HTML, which means I would have to enable HTML input for members. Unfortunately it looks like they don't actually parse it on input, so would allow users to do some malicious things. That kind of sucks. Looks like it will have to stay disabled for the time being.

[MXXIV]

Sorry, but this isn't how it works... Of course they check it. And of course, users who want to do malicious stuff don't need your permission. I can edit the HTML in text-field using Firebug, but it's tedious compared to natural UI.

Forums like this use complex (white-list based) scripts to purify user input from malicious HTML tags and attributes.

Just few examples of what can I do without your permission:

1. Change font family
2. Use true type (eg. for code)
3. Change image title

Those all are useful and normally forums allow them by default.

I tested and I can't

• Change class or id attribute (so no anchors)
• Obviously, insert <script> or <style> tag

 

[Connall]

14 minutes ago, MXXIV said:

Sorry, but this isn't how it works... Of course they check it. And of course, users who want to do malicious stuff don't need your permission. I can edit the HTML in text-field using Firebug, but it's tedious compared to natural UI.

Forums like this use complex (white-list based) scripts to purify user input from malicious HTML tags and attributes.

Just few examples of what can I do without your permission:

1. Change font family
2. Use true type (eg. for code)
3. Change image title

Those all are useful and normally forums allow them by default.

I tested and I can't

• Change class or id attribute (so no anchors)
• Obviously, insert <script> or <style> tag

 

 

First off, no I'm not ignorant. Yes, I am aware that the editor parses the input of the comment box when being submitted to make sure nothing gets through that shouldn't, such as <script> tags and the like. Sure, you can edit the HTML in firebug (though you could also just do that through Firefox or Chromes dev tools) but it doesn't matter. In the end the same method of verification is used on the input to scan it for malicious intent, so while you can edit it, the input is still parsed by the server before being sent to the database or displayed.

Editing HTML for input is nothing new, this isn't some grand new discovery, whether it's by the editor or straight HTML into the form, it doesn't matter the stuff still gets parsed to prevent malicious tags getting snuck into a post.

22 minutes ago, MXXIV said:

Just few examples of what can I do without your permission:

1. Change font family
2. Use true type (eg. for code)
3. Change image title

 

I would be more impressed, if such things weren't supposed to be allowed by IP Board. Font options are possible if we put them in the editor, true type is already possible through the code button, changing image title actually had significant importance. Sure you can do that but why would I care you can do that stuff? It's fluff, nothing malicious.

Next time, read what I'm actually trying to say:

6 hours ago, Connall said:

It looks like the source button now just equates to being a way to input raw HTML

What this means is that the Source button (in IP Boards infinite wisdom) bypasses such checks for users inputting HTML and allows FULL ACCESS to everything. It didn't in IP Board 3.x but it does now.

Script tags? No longer parsed, they just work. I know, because I tested it. Which means the damage someone could do would be disastorous if we opened up the button. So no, I won't be opening them up.

On a final note, you need to change your attitude, I'm getting tired of you talking down to everyone around you as if you're a grand arbiter of the forums, my limited time of seeing your discourse with other people has been rather poor.

[MXXIV]

I just misunderstood. No reason to rage about it. When you said editing raw HTML it really wasn't clear whether you mean client side or server side too.

I don't think you should rage just if someone misunderstands your post which actually lacks all the information. Specifically all this wasn't clear:

5 minutes ago, Connall said:

What this means is that the Source button (in IP Boards infinite wisdom) bypasses such checks for users inputting HTML and allows FULL ACCESS to everything. It didn't in IP Board 3.x but it does now.

If you said that the first time I'd just thank you and wouldn't talk about this further...

[nasKo]

24 minutes ago, Connall said:

 

On a final note, you need to change your attitude, I'm getting tired of you talking down to everyone around you as if you're a grand arbiter of the forums, my limited time of seeing your discourse with other people has been rather poor.

Take note. Our forum rules are still the same.

I'll let that be the end of the thread.