Forum Moderators: phranque
It's a message board. And in the help section under "Posting" it says this:
"For obvious reasons standard HTML code cannot be used in posts. Instead we allow the use of Forum Formatting Code [FFC] in posts. FFC is similar to HTML, but safe and standardized for use on the forums."
What is this FFC? I see it has tags just like html. In fact, I tried to type them in this post as an example of what they look like, but they don't display as text, they work just like html and so I'd have to use other tags that would allow me to display the tags without them being executed.
What does he mean by "For obvious reasons..." What's dangerous about using html in a forum post?
There are many. For one, try this:
<img src="icon.gif" onLoad="window.open('http://my_spam_site.html')">
And that's just a mild one. A troublemaker can paste all kinds of nasty objects into a post to take over the thread/forum.
By allowing only input with [] to be interpreted as user html and REMOVING everything else with <>, you disarm a large portion of the access. Also, on the server side you compare everything you find in [] against an APPROVED tag list so when it's input, it removes an attack like
[img src="icon.gif" onLoad="window.open('http://my_spam_site.html')"]
It gets worse. For incorrectly setup database programming, you can add things to an SQL statement. If you can do the detective work and figure out what a member database table is named and what field is used to reference the record ID, you can destroy the database.
For example, on an "auto-mail me my password" system, if I enter my email address - I get my password. But **if** the programming doesn't cleanse the data and restrict the select statement, you can turn
select password from database where email='my email'
into
select password from database where email='my_email' or email <> 'my_email' (<> being not equal to)
Every single form object where the user can enter data is prone to this kind of stuff.
:-)
Thanks guys.
