Enable HTML
How to enable html in torrent description?
Plz Help Me |
post me your details.php
you can enable bbcode but not html since that would be unsafe and would get you hacked :) |
You can use HTML tags too, it's perfectly safe if you implement it intelligently.
To do so, just strip out unwanted tags/attributes from the user input, prior to database escaping/storage. It will be suited to exactly what you want, and you won't have the unnecessary overhead/hassle of bbcode validation->parsing->html output. Besides, you'll need to strip unwanted tags/attributes and worry about security with bbcode anyway, so you might as well skip the middleman. |
Quote:
have one A** add a semple java flash or you name it and Bam you got a world of hurt!!!! shut they can even add a redirect if they want to send your users where ever they want. So think about it do you realy want to allow HTML codes in your details? |
HTML input can be perfectly safe.
I think you're mistaking "badly implemented, unchecked, raw HTML input" with "intelligently secured and whitelisted HTML input". Though granted, bbcode is often easier for the users to understand. If you don't want to allow flash embedding (and you shouldn't), just don't whitelist those tags. If you don't want the onhover attribute for elements (and again, you shouldn't), just strip those out. There is nothing intrinsically unsafe about HTML descriptions, idiotic developers are where the problems lies. |
Quote:
The problem with allowing the injection of HTML is a complicated one. There is no 100% safe method to allow HTML and feel secure. Some of the issues and interactions are: 1. The obviously dangerous tags like SCRIPT and APPLET are not the only danger. Any injection of a URL can be dangerous. Any tag that allows for a URL (e.g., a, img, frame, ...) can be used for cross-site scripting and cookie stealing, which can allow someone to hack into your board. 2. Hackers can use various tricks that would result in a tag getting through the filter imposed by the PHP checker. Possible examples: a) |