Shortcodes and HTML in description
Quote from daron4ever on January 9, 2018, 4:36 pmHello,
I would like to use WordPress block shortcodes or HTML a link tag in the description.
Any suggestion you might have?
Regards,
Hello,
I would like to use WordPress block shortcodes or HTML a link tag in the description.
Any suggestion you might have?
Regards,
Quote from Asgaros on January 9, 2018, 5:04 pmHello daron4ever,
HTML-Code is automatically removed from the description because of security reasons. Otherwise potential scripts could be used to read sensitive data from users. If you want to change this behavior, you have to manually edit the includes/forum.php file:
Change:
function showMainTitleAndDescription() { $mainTitle = $this->getMainTitle(); echo '<h1 class="main-title">'.$mainTitle.'</h1>'; if ($this->current_view === 'forum' && $this->options['show_description_in_forum'] && !empty($this->current_description)) { echo '<div class="main-description">'.esc_html(stripslashes($this->current_description)).'</div>'; } }Into:
function showMainTitleAndDescription() { $mainTitle = $this->getMainTitle(); echo '<h1 class="main-title">'.$mainTitle.'</h1>'; if ($this->current_view === 'forum' && $this->options['show_description_in_forum'] && !empty($this->current_description)) { echo '<div class="main-description">'.stripslashes($this->current_description).'</div>'; } }
Hello daron4ever,
HTML-Code is automatically removed from the description because of security reasons. Otherwise potential scripts could be used to read sensitive data from users. If you want to change this behavior, you have to manually edit the includes/forum.php file:
Change:
function showMainTitleAndDescription() { $mainTitle = $this->getMainTitle(); echo '<h1 class="main-title">'.$mainTitle.'</h1>'; if ($this->current_view === 'forum' && $this->options['show_description_in_forum'] && !empty($this->current_description)) { echo '<div class="main-description">'.esc_html(stripslashes($this->current_description)).'</div>'; } }
Into:
function showMainTitleAndDescription() { $mainTitle = $this->getMainTitle(); echo '<h1 class="main-title">'.$mainTitle.'</h1>'; if ($this->current_view === 'forum' && $this->options['show_description_in_forum'] && !empty($this->current_description)) { echo '<div class="main-description">'.stripslashes($this->current_description).'</div>'; } }
Quote from daron4ever on January 9, 2018, 5:16 pmThanks, but I found how to use block shortcodes.
It didn’t work when I used [block id=”xxx”]
But It worked without quote mark [block id=xxx]
No problem with security with it?
Best Regards,
Thanks, but I found how to use block shortcodes.
It didn’t work when I used [block id=”xxx”]
But It worked without quote mark [block id=xxx]
No problem with security with it?
Best Regards,
Quote from Asgaros on January 9, 2018, 7:21 pmI guess it should be safe to use.
I guess it should be safe to use.
Quote from SYG Dev on January 13, 2018, 3:24 pmQuote from Asgaros on January 9, 2018, 5:04 pmHello daron4ever,
HTML-Code is automatically removed from the description because of security reasons. Otherwise potential scripts could be used to read sensitive data from users. If you want to change this behavior, you have to manually edit the includes/forum.php file:
Change:
function showMainTitleAndDescription() { $mainTitle = $this->getMainTitle(); echo '<h1 class="main-title">'.$mainTitle.'</h1>'; if ($this->current_view === 'forum' && $this->options['show_description_in_forum'] && !empty($this->current_description)) { echo '<div class="main-description">'.esc_html(stripslashes($this->current_description)).'</div>'; } }
- function showMainTitleAndDescription() {
- $mainTitle = $this–>getMainTitle();
- echo ‘<h1 class=”main-title”>’.$mainTitle.‘</h1>’;
- if ($this–>current_view === ‘forum’ && $this–>options[‘show_description_in_forum’] && !empty($this–>current_description)) {
- echo ‘<div class=”main-description”>’.esc_html(stripslashes($this–>current_description)).‘</div>’;
- }
- }
function showMainTitleAndDescription() { $mainTitle = $this->getMainTitle(); echo '<h1 class="main-title">'.$mainTitle.'</h1>'; if ($this->current_view === 'forum' && $this->options['show_description_in_forum'] && !empty($this->current_description)) { echo '<div class="main-description">'.esc_html(stripslashes($this->current_description)).'</div>'; } }Into:
function showMainTitleAndDescription() { $mainTitle = $this->getMainTitle(); echo '<h1 class="main-title">'.$mainTitle.'</h1>'; if ($this->current_view === 'forum' && $this->options['show_description_in_forum'] && !empty($this->current_description)) { echo '<div class="main-description">'.stripslashes($this->current_description).'</div>'; } }
- function showMainTitleAndDescription() {
- $mainTitle = $this–>getMainTitle();
- echo ‘<h1 class=”main-title”>’.$mainTitle.‘</h1>’;
- if ($this–>current_view === ‘forum’ && $this–>options[‘show_description_in_forum’] && !empty($this–>current_description)) {
- echo ‘<div class=”main-description”>’.stripslashes($this–>current_description).‘</div>’;
- }
- }
function showMainTitleAndDescription() { $mainTitle = $this->getMainTitle(); echo '<h1 class="main-title">'.$mainTitle.'</h1>'; if ($this->current_view === 'forum' && $this->options['show_description_in_forum'] && !empty($this->current_description)) { echo '<div class="main-description">'.stripslashes($this->current_description).'</div>'; } }
Hello. I registered for this specific issue/solution.
I’ve come here after using XenForo, IPS Community, phpbb, mybb, and bbpress in that order.
All feature the ability for HTML links in the description by default or one switch toggle.
Can you elaborate more on the security issues faced by allowing html links in forum description?
Or provide links to further information as I can find nothing via extended Google search or stackoverflow.From a community management standpoint – this should be made more evident to prevent threads like this from building up in the future and this software definitely has a bright future!
Quote from Asgaros on January 9, 2018, 5:04 pmHello daron4ever,
HTML-Code is automatically removed from the description because of security reasons. Otherwise potential scripts could be used to read sensitive data from users. If you want to change this behavior, you have to manually edit the includes/forum.php file:
Change:
function showMainTitleAndDescription() { $mainTitle = $this->getMainTitle(); echo '<h1 class="main-title">'.$mainTitle.'</h1>'; if ($this->current_view === 'forum' && $this->options['show_description_in_forum'] && !empty($this->current_description)) { echo '<div class="main-description">'.esc_html(stripslashes($this->current_description)).'</div>'; } }
- function showMainTitleAndDescription() {
- $mainTitle = $this–>getMainTitle();
- echo ‘<h1 class=”main-title”>’.$mainTitle.‘</h1>’;
- if ($this–>current_view === ‘forum’ && $this–>options[‘show_description_in_forum’] && !empty($this–>current_description)) {
- echo ‘<div class=”main-description”>’.esc_html(stripslashes($this–>current_description)).‘</div>’;
- }
- }
function showMainTitleAndDescription() { $mainTitle = $this->getMainTitle(); echo '<h1 class="main-title">'.$mainTitle.'</h1>'; if ($this->current_view === 'forum' && $this->options['show_description_in_forum'] && !empty($this->current_description)) { echo '<div class="main-description">'.esc_html(stripslashes($this->current_description)).'</div>'; } }Into:
function showMainTitleAndDescription() { $mainTitle = $this->getMainTitle(); echo '<h1 class="main-title">'.$mainTitle.'</h1>'; if ($this->current_view === 'forum' && $this->options['show_description_in_forum'] && !empty($this->current_description)) { echo '<div class="main-description">'.stripslashes($this->current_description).'</div>'; } }
- function showMainTitleAndDescription() {
- $mainTitle = $this–>getMainTitle();
- echo ‘<h1 class=”main-title”>’.$mainTitle.‘</h1>’;
- if ($this–>current_view === ‘forum’ && $this–>options[‘show_description_in_forum’] && !empty($this–>current_description)) {
- echo ‘<div class=”main-description”>’.stripslashes($this–>current_description).‘</div>’;
- }
- }
function showMainTitleAndDescription() { $mainTitle = $this->getMainTitle(); echo '<h1 class="main-title">'.$mainTitle.'</h1>'; if ($this->current_view === 'forum' && $this->options['show_description_in_forum'] && !empty($this->current_description)) { echo '<div class="main-description">'.stripslashes($this->current_description).'</div>'; } }
Hello. I registered for this specific issue/solution.
I’ve come here after using XenForo, IPS Community, phpbb, mybb, and bbpress in that order.
All feature the ability for HTML links in the description by default or one switch toggle.
Can you elaborate more on the security issues faced by allowing html links in forum description?
Or provide links to further information as I can find nothing via extended Google search or stackoverflow.
From a community management standpoint – this should be made more evident to prevent threads like this from building up in the future and this software definitely has a bright future!
Quote from Asgaros on January 13, 2018, 6:22 pmCan you elaborate more on the security issues faced by allowing html links in forum description?
Hello SYG Dev,
the main problem here are – in my oppinion – not links or normal tags inside the description. But imagine the following: Because of a bug in the forum, WordPress or another plugin/theme an attacker can inject custom data into the description-field. For example he could inject a <script> tag which contains JavaScript. This script could read all entered information (passwords), read cookies and much more while it stays “invisible” in the background. Avoiding HTML in the description ensures that this can not happen.
Of course its not possible to guarantee 100% security and there could be other places for this kind of attacks as well, but I will do my best to keep the risk as low as possible. 🙂
Can you elaborate more on the security issues faced by allowing html links in forum description?
Hello SYG Dev,
the main problem here are – in my oppinion – not links or normal tags inside the description. But imagine the following: Because of a bug in the forum, WordPress or another plugin/theme an attacker can inject custom data into the description-field. For example he could inject a <script> tag which contains JavaScript. This script could read all entered information (passwords), read cookies and much more while it stays “invisible” in the background. Avoiding HTML in the description ensures that this can not happen.
Of course its not possible to guarantee 100% security and there could be other places for this kind of attacks as well, but I will do my best to keep the risk as low as possible. 🙂