HTML in Threads

[RedBassett]

Jul 15, 2013 15:18:27 GMT -8 Texas said:

So it would be fine for me to do this? As long as only certain people were allowed to do it?

Are you asking from a security standpoint? I haven't looked at iFrames in a long time, and I would need to brush up on webpage within webpage security, XSS, etc to know, but Wormopolis, Todge, Peter, and Chris might have some insight into this.

[Texas]

I'm not positive I want to, but it would be something I might want to do...I don't want to write it up for no reason though...

[Wormopolis]

I wont touch a code like this because of the security issues.

[Peter]

Not going to post too much about this stuff, as there are already useful resources out there. So I'll go over it briefly.

iframes respect the cross domain policy, so not too much worry there, though that depends on how you build the iframe (read below).

HTML in posts isn't difficult to be honest, you just need to be strict on what is allowed. You need to expect that users are going to try and break your parser. ProBoards already does a good job, so most of the work is done for you if you think about it, but you need to be careful when parsing the HTML, from attribute injection, malformed HTML, to browser specific vectors (i.e character encoding).

Unfortunately even the experienced coders don't always get it right, as I've found from trying a few plugins from the library and finding simple XSS vectors. So I suggest if you do try, ask some of us here to look at it before you release it as a fully working plugin.

A lot of software out there now will set the cookies to httpOnly (I assume ProBoards does as well), so cookie stealing is a lot harder then it used to be.

XSS is a big issue in software these days, so I would highly suggest reading up on it if you aren't familiar.

[Todge]

All I know is....

A while back I added a code to the database that allowed iFrames, which was subsequently removed and I was asked not to create codes that allowed members to post iFrames or code in the future for security reasons, though there were a couple of codes released later on that DID allow limited HTML in posts.

Since then I personally will not touch a code that allows either.

[Texas]

Well, it looks like this is above and beyond my realm of capabilities.

[Bunnie]

I'm in need of this too for using iFrames. Admin only will do fine.

[aRMY83]

You may want to check this out:

HTML In Posts - Admin Only by Pebble

[koravichandrashekhar]

Okies i have downloaded the plugin but how to enable it???

[Wormopolis]

Support for a plugin found only on IOD is better to come from IOD themselves. Reply to the thread given above and Pebble or RAD will be able to help you with it.