David on 3/1/2007 at 07:50
There's an interesting looking addon for the forum software that may work, but it will take a little while to test and alter our forum setup to see if it can be of any use. I shall try and take a look at this at the weekend.
Can you survive until then? :p
Turtle on 3/1/2007 at 17:14
I'll..
I'll try.
ZylonBane on 4/1/2007 at 15:59
While disabling HTML makes a lot of sense (having participated in some threads where it was abused horribly), what's the reasoning for disabling character entities? Or is the forum software just set up so disabling one automatically disables the other?
Stitch on 4/1/2007 at 16:21
My main gripe with disabling HTML is it suddenly screws up the formatting of posts that were written in a format considered valid for seven years. For those of us who have always found it easiest to simply type in the proper HTML tags, this is no small change.
The preservation of HTML formatting on last week's posts should certainly rank lower than security concerns, but giving the justification that "[David] feel it's pretty silly to keep it on" just makes the decision seem half-cocked.
Turtle on 4/1/2007 at 18:28
I was searching through random pages 78-99 this morning, and they definitely need some help if they won't have HTML.
Are there plans to fix posts, or will they remain broken?
David on 4/1/2007 at 18:30
It was prompted by an attempt to steal cookies I had seen on another forum I frequent that has HTML enabled. The cookies can then be used to log into the forum they were stolen from.
It used a flaw in IE6 (may exist in 7, I have no idea) involving the way it parsed certain non-visible characters which could allow arbitrary JavaScript to be executed.
Whilst most of the elements allowing the attack to happen were probably already taken care of by the forum software or the censor it's not something I was willing to risk.
I felt turning it off was an acceptable solution given the extremely low amount of posts that are made containing HTML and the fact I had actually seen an attack in the wild and not on a security listing site.
I would rather have several users unhappy that they could no longer post in HTML than have any user accounts compromised and would rather be accused of overreacting than under-reacting where security of the forums is concerned.
As I have already said I am looking at a solution that will keep everyone happy, and if there was an option to parse HTML in older posts then that would already be turned on, but there isn't.
Briareos H on 5/1/2007 at 04:46
Quote Posted by Stitch
My main gripe with disabling HTML is it suddenly screws up the formatting of posts that were written in a format considered valid for seven years. For those of us who have always found it easiest to simply type in the proper HTML tags, this is no small change.
Like (
http://www.ttlg.com/forums/showthread.php?t=106781) this. Ouch.
Nameless Voice on 5/1/2007 at 11:32
Ouch indeed.
I've already found myself editing ancient post by myself that I've come across in the last few days, replacing garbled HTML code with vB code...
I suggest that the admin go through at least all the sticky threads in the various forums and edit them to replace the HTML with vB code...
Mortal Monkey on 5/1/2007 at 18:27
Speaking of which, I found a bug with the advanced search:
Inline Image:
http://img307.imageshack.us/img307/1636/searchbuggj0.pngIf you try to
Find Posts by User and specify
Search Titles Only, you will only get the threads started by
User Name, not posts.
