Tooltip Pinhole

[Chris]

How to submit a proper bug report.

Patrick Clinger ProBoards Admin hi Posts: 17,754 Member is Online

Post by Patrick Clinger With each bug report, please include the following information: 1) The URL to the page you are on when the bug occurred. 2) What happened, in detail? 3) What do you think should have happened instead? 4) Can you reproduce this on every pageview? 5) What browser, version, and operating system are you using? 6) Please attach a screen shot (JPG or PNG -- not GIF or BMP) if it is relevant

Follow ProBoards on Twitter!

1. Url: /admin/plugins/settings/8#settings-ui-page-1-tab
   
2. Altough the tooltip plugin is being fed sanitized (html_escape) content to guard against injection this is not the case for tooltips in auto-forms. I can insert script tags in there to run code on the settings page (see image below)
   
3. Tooltips in auto-forms should also be sanitized. The code in question resides in the autoform render method
   
   // add the help caption if it exists
if (typeof field.description != 'undefined' && field.description != '')
description = $('<img class="help-icon" src="http://images.proboards.com/v5/admin/pbhelpicon.png">').attr('title', field.description).tipTip();
   
   in contrast...
   
   // add the help caption if it exists
if (typeof field.description != 'undefined' && field.description != '')
description = $('<img class="help-icon" src="http://images.proboards.com/v5/admin/pbhelpicon.png">').attr('title', proboards.escape_html(field.description)).tipTip();
   Note, this bug actually fulfills my deep desire to be able to run some kind of code on the settings page but I cannot rely on it since it will most likely be patched.
   
4. yes
5. Firefox 16.0.2 @ Windows Vista SP2
   
6. Pay no attention to the intent of the dialog since recently posted comments by PBS staff have made it effectively illegal
   The point is a plugin can execute code where it was obviously not meant.
   
   
   

[VS Admin]

Thanks for the report, our devs will look into this right away.

[Chris]

Not a problem ...

To be clearer:

1. during the creation of an autoform field add a fully formed script in the description
   example: "Fill-in your whatever that I don't really care about<script>alert('Hello Plugin Setup!');</script>"
   
   
2. Make the field cryptic enough so user has to hover over to get a better idea of what is expected here
   
   
3. script activates circumventing implied promise of admin panel being a third-party-script-free trustable zone.


if (typeof I.description != "undefined" && I.description != "") {
K = $('<img class="help-icon" src="http://images.proboards.com/v5/admin/pbhelpicon.png">').attr("title", I.description).tipTip()
}



If the decision to NOT patch was made then it would help knowing so this "feature" could be put to good use (e.g. modifying the setup to one's taste)

• Richer Setting UI Suggestions (that don't belong in this thread)
  
  • onBeforeSetup - custom event that allows a plugin to add default values if none present, check for additional required libraries, etc.
  • onSetupFieldChange - custom event to implement more complex conditional field validations with context-sensitive guidance tips as well as ability to hide/show fields based on relevance to choice just made
  • onAfterSetup - opportunity to validate final choices, alert to further actions that may need to be taken (e.g. - actions that would be considered unsanctioned AJAX calls if not sent from native page even when user action was explicitly required to initiate)