Board indexAdministrationWrongPlanet.net discussion

Does the signature field actually allow HTML?

Page 1 of 1 [ 8 posts ] 

Previous topic | Next topic

Mootoo
Veteran
Veteran

User avatar

Joined: 1 Oct 2010
Gender: Male
Posts: 1,942
Location: over the rainbow

10 Dec 2013, 2:54 am

When I edit my profile it says "Type your signature with HTML coding"... but when I use HTML it is rendered bare... unprocessed.



Shatbat
Veteran
Veteran

User avatar

Joined: 19 Feb 2012
Age: 31
Gender: Male
Posts: 5,791
Location: Where two great rivers meet

10 Dec 2013, 3:10 am

I was going to suggest experimenting. But you said it yourself it renders it bare. In that case, well it renders it bare and you answered your own question.

I know there are ways to modify custom rank and screw up WP, but I don't know the specifics. Once I know more about web coding I shall try it lol, although only temporarily just to see if I can


_________________
To build may have to be the slow and laborious task of years. To destroy can be the thoughtless act of a single day. - Winston Churchill


Cornflake
Administrator
Administrator

User avatar

Joined: 30 Oct 2010
Gender: Male
Posts: 69,356
Location: Over there

10 Dec 2013, 6:10 am

It doesn't allow HTML - the documentation is out of date and probably refers to the original phpBB codebase. Only plain ASCII and emoticons from the basic site set are allowed.

Shatbat wrote:
Once I know more about web coding I shall try it lol, although only temporarily just to see if I can
:shameonyou:
We can also prevent members from setting a custom rank... :wink:


_________________
Giraffe: a ruminant with a view.


Shatbat
Veteran
Veteran

User avatar

Joined: 19 Feb 2012
Age: 31
Gender: Male
Posts: 5,791
Location: Where two great rivers meet

10 Dec 2013, 9:55 pm

Once I know a huge lot more about web coding I wil haxx0r WP, restore my custom rank and self-appoint myself admin :twisted:

Seriously though, do you mind if I try and reverse changes as soon as I find something? I am just that curious :lol: and it would be 10 seconds of disturbance tops. I did try injecting html and javascript but didn't get anywhere (although I only have the most basic knowledge of javascript, anyway)


_________________
To build may have to be the slow and laborious task of years. To destroy can be the thoughtless act of a single day. - Winston Churchill


sliqua-jcooter
Veteran
Veteran

User avatar

Joined: 25 Jan 2010
Age: 37
Gender: Male
Posts: 1,488
Location: Burke, Virginia, USA

11 Dec 2013, 2:40 am

Shatbat wrote:
Once I know a huge lot more about web coding I wil haxx0r WP, restore my custom rank and self-appoint myself admin :twisted:


You're very much not going to like what happens after you do that.

Edit: BTW php, sql, js injeciton aren't going to work. If the app doesn't catch/sanitize it - other things will.


_________________
Nothing posted here should be construed as the opinion or position of my company, or an official position of WrongPlanet in any way, unless specifically mentioned.


bcousins
Veteran
Veteran

User avatar

Joined: 1 May 2011
Age: 29
Gender: Male
Posts: 809
Location: On a failed Tangara set at Blacktown

11 Dec 2013, 3:31 am

sliqua-jcooter wrote:
Shatbat wrote:
Once I know a huge lot more about web coding I wil haxx0r WP, restore my custom rank and self-appoint myself admin :twisted:


You're very much not going to like what happens after you do that.

Edit: BTW php, sql, js injeciton aren't going to work. If the app doesn't catch/sanitize it - other things will.


Wait, you mean this site is actually secure, and not a wall about to collapse? In that case, keep it.

Though +1 to the not liking line.


_________________
Want another alternative to WrongPlanet?
https://aspergers.network/forums/ <- New Version Coming (hopefully) soon.


Shatbat
Veteran
Veteran

User avatar

Joined: 19 Feb 2012
Age: 31
Gender: Male
Posts: 5,791
Location: Where two great rivers meet

11 Dec 2013, 5:59 am

sliqua-jcooter wrote:
Shatbat wrote:
Once I know a huge lot more about web coding I wil haxx0r WP, restore my custom rank and self-appoint myself admin :twisted:


You're very much not going to like what happens after you do that.

Edit: BTW php, sql, js injeciton aren't going to work. If the app doesn't catch/sanitize it - other things will.


"After I do that"? Does that mean it is actually possible to get away with it even for a little while? :P Yeah, I figured you'd be the one who would put a stop to such hijinks.

And I was not talking about taking over the site in the second paragraph btw, just about seeing what kind of custom rank modifies the layout of the actual site. And why.


_________________
To build may have to be the slow and laborious task of years. To destroy can be the thoughtless act of a single day. - Winston Churchill


sliqua-jcooter
Veteran
Veteran

User avatar

Joined: 25 Jan 2010
Age: 37
Gender: Male
Posts: 1,488
Location: Burke, Virginia, USA

11 Dec 2013, 8:44 am

Shatbat wrote:
Does that mean it is actually possible to get away with it even for a little while? :P


What you're really asking is if it's possible for this site to be hacked. The answer is yeah, it probably is. We've tried very hard to identify and plug security issues, and none of the common attack vectors (injection, xss, etc) are possible - but there's bound to be something we've missed.

Quote:
Yeah, I figured you'd be the one who would put a stop to such hijinks.


I take a "scorched earth" policy toward people who harm my customers' sites. But there has been at least one person who has given themselves admin/mod access to the site, although not maliciously.

Quote:
And I was not talking about taking over the site in the second paragraph btw, just about seeing what kind of custom rank modifies the layout of the actual site. And why.


I can't speak for Alex or the mods, but from my perspective, and the perspective of my company, I welcome people to test the security of the site/server(s) (or indeed any of our sites and/or servers) and let us know what you find. As long as you don't do anything to cause harm, you will be thanked for your help.


_________________
Nothing posted here should be construed as the opinion or position of my company, or an official position of WrongPlanet in any way, unless specifically mentioned.