Site Stuff #1
Site security issues?
Archive: 23 posts
| I just noticed from a recent thread that javascript can be embedded plainly into forum posts: https://lbpcentral.lbp-hub.com/index.php?t=30501 This particular script seems harmless at first glance, but I am wondering if this is normal and whether or not this could lead to security issues with the site? | 2010-07-15 20:03:00 Author: Gilgamesh  Posts: 2536 |
| Well, yes certain scripts can be used to execute exploits in the system, but the chance of that happening here are slim. IMO, there is absolutely nothing to worry about. Disabling HTML would only bring down the ability to do rly cool and fun things.Considering that most scripts are load friendly, they allow users great abilities to express themselves and add rly cool stuff to threads. Don't disable HTML or I'll be mad  | 2010-07-15 20:09:00 Author: Enlong3  Posts: 357 |
| Oh really? Let's test it out... EDIT: Didn't work for me... Does it work? EDIT2: I'm probably being stupid and did the wrong thing though...  | 2010-07-15 20:15:00 Author: Doopz  Posts: 5592 |
| oh no...the site has security issues? ): | 2010-07-15 20:18:00 Author: lightningbug1 Posts: 515 |
| Calm down folks, there are no security issues with the site. Sometimes people just have a hard time telling a harmless script from a malicious script. It's cool tho. | 2010-07-15 20:20:00 Author: Enlong3 Posts: 357 |
| Calm down folks, there are no security issues with the site. Sometimes people just have a hard time telling a harmless script from a malicious script. It's cool tho. But if it's possible to insert a harmless script, what's stopping you from doing the same with a harmful one? | 2010-07-15 20:44:00 Author: resistance1  Posts: 812 |
| But if it's possible to insert a harmless script, what's stopping you from doing the same with a harmful one? Morals my friend.  | 2010-07-15 20:46:00 Author: Enlong3 Posts: 357 |
| Morals my friend. Which not everyone has... hence erring on the side of caution. | 2010-07-16 03:06:00 Author: comphermc  Posts: 5338 |
| Actually, you should probably get that fixed. Sites with not-so-great security have recently been getting hacked. YouTube for example, and a not so well known machinima site. | 2010-07-16 04:09:00 Author: Testudini  Posts: 3262 |
| No, no. The HTML stays. We wouldn't want to even further restrict the capabilities of this great website. | 2010-07-16 04:16:00 Author: Enlong3 Posts: 357 |
| I actually think its kinda cool. And my anti-virus program isnt going beserk. It like, scans every page i go on for malicious viruses. Malicious viruses. So its cool. :SH: | 2010-07-16 04:28:00 Author: ThePineapplizer  Posts: 769 |
| Finally, somebody with sense. Getting rid of HTML would only limit the creativity and inspiration of users. We wouldn't want to do that to the users, right? | 2010-07-16 04:32:00 Author: Enlong3 Posts: 357 |
| Finally, somebody with sense. Getting rid of HTML would only limit the creativity and inspiration of users. We wouldn't want to do that to the users, right? Well, that's quite a silly assessment. HTML is not going to limit the creativity and inspiration of users, because HTML use is not where those things come from. In fact, most people 'round here wouldn't even notice if it were gone. There are very few advantages within the context of how people use our site... but that said, nothing has happened yet. We are merely looking into it.  | 2010-07-16 12:55:00 Author: comphermc Posts: 5338 |
| Well, that's quite a silly assessment. HTML is not going to limit the creativity and inspiration of users, because HTML use is not where those things come from. In fact, most people 'round here wouldn't even notice if it were gone. There are very few advantages within the context of how people use our site... but that said, nothing has happened yet. We are merely looking into it. I can only begin to explain the unlimited capabilities of HTML. Many people don't realize the importance of HTML. They don't understand what good it can bring. There is so much that can be added to aid a thread through HTML. When people learn how to utilize it properly, it is an open door to unlimited possibilities. This is where creativity and inspiration thrives. What users can do with it can be quite outstanding. Lets say MM decided to disable all the creating tools in LBP because they were afraid people would use it to create inappropriate content. This severely limits the capabilities of users. They can't express themselves or churn out any inspirational works because of the severe limitations in creativity. Most users that are unaware of this wonderful code are just holding back great potential. We need to unlock that potential and allow users to express themselves openly. It is the only "fair" thing to do. So with that said, I petition to have all forums support HTML and unlock the users true potential Thank you! | 2010-07-16 17:44:00 Author: Enlong3 Posts: 357 |
| Right now it doesn't matter about the creativity, it matters about security. LBP runs into some great glitches in the game all the time, they can be fun to use and implement into levels. Mm would support the glitches, but if the glitch causes any serious problems, it has to be removed. No matter how good it is... The same goes with HTML, while it may be great, it can't be a potential break to security. | 2010-07-16 18:03:00 Author: warlord_evil  Posts: 4193 |
| The rewards of HTML clearly outweigh any negatives of it. Security is easily enforceable. MM would never think of getting rid of the layer glitch even it could be used for bad. The possbilites of it are just to great to limit on users. | 2010-07-16 18:08:00 Author: Enlong3 Posts: 357 |
| I can assure you that you would not notice the absence of HTML. In fact, most forums have HTML disabled... including this one. The rewards of HTML clearly outweigh any negatives of it. Statements like this are empty unless you provide any proof or evidence. I can say that never creating levels again is clearly the most creative thing any of us can do, but that doesn't make that statement accurate. | 2010-07-16 18:29:00 Author: comphermc Posts: 5338 |
| This is actually a weird security hole that appeared in vB 4.0 - in previous versions, we had a per-usergroup setting that took priority over the forum's setting, disallowing any HTML from anyone except site staff. However, since the move to 4.0, any user could potentially post HTML in any forum with that setting set to "yes". I've just patched that hole by adding a custom setting that disallows HTML from all except staff again. You'll notice that if you visit the thread that is linked in the first post, the HTML/Javascript bits are now not parsed by vBulletin. Enlong3 (and anyone else who liked HTML): A sad fact of the world is that you can't trust everyone with power. Some will abuse it. It has always been our policy to disallow HTML for everyone - I'm sorry you got used to using it, but that doesn't change the fact that we didn't intend for you to do so. | 2010-07-17 22:07:00 Author: ConfusedCartman  Posts: 3729 |
| oh well, it was fun while it lasted. It's kinda funny how all the HTML settings in VB are regarded as "strongly not recommended" LOL | 2010-07-17 22:35:00 Author: Enlong3 Posts: 357 |
| EDIT: Nevermind. | 2010-07-17 22:37:00 Author: warlord_evil Posts: 4193 |
| I've just patched that hole by adding a custom setting that disallows HTML from all except staff again. You sure you didn't disallow it for all, staff included? Because... https://lbpcentral.lbp-hub.com/index.php?t=22286-LBPC-The-Game-official-trailer-released [Fixed] | 2010-07-19 18:15:00 Author: Doopz Posts: 5592 |
| xD I must say, that's made my week. Even better if they can't figure out how to fix it without giving it back to everyone.  Though, I doubt we'd be that lucky.  | 2010-07-19 18:46:00 Author: Voltergeist  Posts: 1702 |
| Nope, it works. <object width="480" height="295"><param name="movie" value="http://www.youtube.com/v/Cg9LsbDRghA&hl=en_US&fs=1&"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/Cg9LsbDRghA&hl=en_US&fs=1&" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="480" height="295"></embed></object> I just had to hit Edit > Save and it fixed itself. | 2010-07-19 21:27:00 Author: comphermc Posts: 5338 |
LBPCentral Archive Statistics
Posts: 1077139
Threads: 69970
Members: 9661
Archive-Date: 2019-01-19
Datenschutz
Aus dem Archiv wurden alle persönlichen Daten wie Name, Anschrift, Email etc. - aber auch sämtliche Inhalte wie z.B. persönliche Nachrichten - entfernt.
Die Nutzung dieser Webseite erfolgt ohne Speicherung personenbezogener Daten. Es werden keinerlei Cookies, Logs, 3rd-Party-Plugins etc. verwendet.
Die Nutzung dieser Webseite erfolgt ohne Speicherung personenbezogener Daten. Es werden keinerlei Cookies, Logs, 3rd-Party-Plugins etc. verwendet.