18 replies to this topic

[Burnie]

So how far back has the forum been restored to?

[Rocket]

Restore date appears to be 21st April

[Mayday]

My life has been lost with out this site!! I was so Bored

[TroyTempest]

So what happened this time? I presume the first assessment wasn't bang on.

[Lucas North]

What the hell have NSI been doing?

Surely it was just a simple case of raising the issue with Invision and letting their team investigate & patch?

[goldfgy]

WELCOME BACK!

[Law_Grad]

testing

testing

testingWhy can users still post / use HTML code?



Most BB boards block it outright - to stop any SQL injection.



end test

[pmtts]

My life has been lost with out this site!! I was so Bored

You must lead a lonely one then!

[Damsel]

Why can users still post / use HTML code?

It wasn't users being able to post using html that was the problem. The software checks for malicious code in posts, IPB had already thought of that.

[MRF@1972]

Good to see forum back up and running again

[Law_Grad]

It wasn't users being able to post using html that was the problem. The software checks for malicious code in posts, IPB had already thought of that.

Strange that, as that's the whole idea of BB forum, where HTML is substituted for BB code that's specific to the software vendor. A legend if you like, where certain approved tags correspond with certain internal responses. It means that the affect a user has upon the forum is limited to the contents if a posting, it's divorced from the code upon which the whole forum has been created…it's almost a firewall between the user and the back end. As for the idea that IPB has this covered, well, the software vendor recommends that you disable it.

IPS highly recommends you do not enable HTML posting in your community as it is a large security risk. By default, IPS software ships with HTML posting disabled.

Source

[DukeDan]

Is the reason the site went down the same reason described as per Lord Vader's post from 21 April?

Also, I can see that "Facebook" is viewing this thread.

[Damsel]

Strange that, as that's the whole idea of BB forum, where HTML is substituted for BB code that's specific to the software vendor. A legend if you like, where certain approved tags correspond with certain internal responses. It means that the affect a user has upon the forum is limited to the contents if a posting, it's divorced from the code upon which the whole forum has been created…it's almost a firewall between the user and the back end. As for the idea that IPB has this covered, well, the software vendor recommends that you disable it.Source

Law Grad, I can only post what I was told. If you already knew the answer 1) why bother asking, and 2) why not pose the question to NSI in the correct thread?

[Law_Grad]

Law Grad, I can only post what I was told. If you already knew the answer 1) why bother asking, and 2) why not pose the question to NSI in the correct thread?

I did, when it was last posted / last thread about it, that's now lost from the restore. I'm not having a go Damsel, but I have never seen any forum that allows HTML tags to be used by its members…its kind of the purpose of the BB tags having [ brackets as opposed to < as its an internal code that has no universal effect…just the comments box.I was trying to use brevity, and yes for me that's odd :D in the hope that if the forum goes down again, someone might say "someone did mention an anomaly about HTML" As an aside, it's probably why there have been issues in regards editing posts for formatting / broken links / images not displaying correctly etc.Because, and even allowing for any WYSIWYG text editor that pastes unnecessary code…preview and edit suddenly renders a post full of low level HTML code that can get muddled up. And I repeat again, this isn't a hobby horse or argument, but an attempt at flagging up a genuine concern…so please don't allow it to be ignored based upon "it should be posted there" as it sort of misses the issue. All the best, and a round of applause to all those behind the scenes…including yourself for manning twitter Damsel. :P

[Lucas North]

Oh God... they're speaking in Arabic... or Latin... or something, again

[Sailor]

I agree with Law_Grad. HTML posting should be disabled.

[Waddle]

Well I'm glad to see the forum up and running again, not sure I can get on with Twitter

[CmdKeen]

There is no conceivable reason that HTML tags should lead to SQL injection... After all SQL doesn't contain angle brackets around anything, I could still write by "Little Bobby Tables" post, post title, username any a vulnerability would let it through.

There are valid reasons to ban / allow HTML - especially given the propensity for people in the News section to copy & paste without using the preview button and generate monstrosities.

[cyswork]

Oh I was worried! haha!