Putting the 'role' back in role-playing games since 2002.
Donate to Codex
Good Old Games
  • Welcome to rpgcodex.net, a site dedicated to discussing computer based role-playing games in a free and open fashion. We're less strict than other forums, but please refer to the rules.

    "This message is awaiting moderator approval": All new users must pass through our moderation queue before they will be able to post normally. Until your account has "passed" your posts will only be visible to yourself (and moderators) until they are approved. Give us a week to get around to approving / deleting / ignoring your mundane opinion on crap before hassling us about it. Once you have passed the moderation period (think of it as a test), you will be able to post normally, just like all the other retards.

Bring back HTML code

Self-Ejected

Kosmonaut

Lost in Space
Joined
Jul 11, 2008
Messages
4,741
Location
CCCP
It seems that HTML is not allowed anymore in posts. I had not noticed this before, until now, that I wanted to use it. Why was disallowed?

Please bring back the HTML code!
 
DarkUnderlord

DarkUnderlord

Professional Throne Sitter
Staff Member
Joined
Jun 18, 2002
Messages
28,358
Nope, OSK is actually right when he says it's a security risk.
 
racofer

racofer

Thread Incliner
Joined
Apr 5, 2008
Messages
25,629
Location
Your ignore list.
DarkUnderlord said:
Nope, OSK is actually right when he says it's a security risk.
Click to expand...

And here I was thinking the Codex was hardcore and edgy, willing to venture where other faggotry ridden forums wouldn't.


Boy was I mistaken.
 

DriacKin

Arbiter
Joined
Oct 9, 2008
Messages
2,588
Location
Inanescape
A few month ago, OSK demonstrated a legit security risk related to javascript and cookies. Instead of actually fixing the problem, DU just decided to ban html.
 
OSK

OSK

Arcane
Patron
Joined
Jan 24, 2007
Messages
8,021
Codex 2012 Codex 2013 Codex 2014 PC RPG Website of the Year, 2015 Codex 2016 - The Age of Grimoire Make the Codex Great Again! Serpent in the Staglands Dead State Divinity: Original Sin Project: Eternity Torment: Tides of Numenera Wasteland 2 Shadorwun: Hong Kong Divinity: Original Sin 2 BattleTech Pillars of Eternity 2: Deadfire
DriacKin said:
Instead of actually fixing the problem, DU just decided to ban html.
Click to expand...

This really isn't a problem you can fix. I'm pretty sure you can execute javascript from every HTML tag. You can try to sanitize the HTML, but that's no small feat. You'd either have to make the HTML extremely restrictive (at which point you may as well just be using BBCode) or attempt to catch every possible scenario where someone may try to sneak in some unwanted code.

Here's a nice big list of some ways you might be able to bypass filtering: http://ha.ckers.org/xss2.html

Completely disallowing HTML is really the only safe way to go. Things most people want to do with HTML can be replicated in BBCode anyway.
 

DriacKin

Arbiter
Joined
Oct 9, 2008
Messages
2,588
Location
Inanescape
OldSkoolKamikaze said:
DriacKin said:
Instead of actually fixing the problem, DU just decided to ban html.
Click to expand...

This really isn't a problem you can fix. I'm pretty sure you can execute javascript from every HTML tag. You can try to sanitize the HTML, but that's no small feat. You'd either have to make the HTML extremely restrictive (at which point you may as well just be using BBCode) or attempt to catch every possible scenario where someone may try to sneak in some unwanted code.

Here's a nice big list of some ways you might be able to bypass filtering: http://ha.ckers.org/xss2.html

Completely disallowing HTML is really the only safe way to go. Things most people want to do with HTML can be replicated in BBCode anyway.
Click to expand...

I'd be somewhat surprised if there weren't already existing solutions that account for all this crap. Seems like something that'd be pretty useful...
 
L'ennui

L'ennui

Magister
Joined
Apr 6, 2009
Messages
3,256
Location
Québec, Amérique du Nord
DriacKin said:
OldSkoolKamikaze said:
DriacKin said:
Instead of actually fixing the problem, DU just decided to ban html.
Click to expand...

This really isn't a problem you can fix. I'm pretty sure you can execute javascript from every HTML tag. You can try to sanitize the HTML, but that's no small feat. You'd either have to make the HTML extremely restrictive (at which point you may as well just be using BBCode) or attempt to catch every possible scenario where someone may try to sneak in some unwanted code.

Here's a nice big list of some ways you might be able to bypass filtering: http://ha.ckers.org/xss2.html

Completely disallowing HTML is really the only safe way to go. Things most people want to do with HTML can be replicated in BBCode anyway.
Click to expand...

I'd be somewhat surprised if there weren't already existing solutions that account for all this crap. Seems like something that'd be pretty useful...
Click to expand...

Feel free to invent one, I guess.
 
DarkUnderlord

DarkUnderlord

Professional Throne Sitter
Staff Member
Joined
Jun 18, 2002
Messages
28,358
DriacKin said:
I'd be somewhat surprised if there weren't already existing solutions that account for all this crap. Seems like something that'd be pretty useful...
Click to expand...
There is. It's called BBCode.

No really, that's why BBCode was invented. It's basically a whitelist of acceptable HTML codes.
 
Self-Ejected

Kosmonaut

Lost in Space
Joined
Jul 11, 2008
Messages
4,741
Location
CCCP
Is there a way to put attributes to IMG tags? like width and height, alt text, etc.?

That's why I miss HTML code.
 
You must log in or register to reply here.

As an Amazon Associate, rpgcodex.net earns from qualifying purchases.
Back
Top Bottom