|
Re:_link_ and _layer_ 1 Year, 1 Month ago
|
|
|
the word description changes to "de_script_ion"
but i couldn't find it in the same list as link and layer
i found var $description = null;
but removing it doesn't do anything
|
|
|
 Logged
|
|
|
Running Joomla 1.0.13 with Fireboard 1.0.3
|
|
|
The administrator has disabled public write access.
|
|
|
Re:_link_ and _layer_ 1 Year, 1 Month ago
|
|
|
Just delete the first line. second line must stay as whole.
|
|
|
Logged
|
|
|
Best Of Joomla Team
FireBoard Project Manager
|
|
|
The administrator has disabled public write access.
|
|
|
Re:_link_ and _layer_ 1 Year, 1 Month ago
|
|
|
there is the solution, look: class.fireboard.php
Linie around 651 entferne: 'link' und '_blink_' and so on you want to delete
|
|
|
Logged
|
|
|
The administrator has disabled public write access.
|
|
|
Re:_link_ and _layer_ 1 Year, 1 Month ago
|
|
|
Quick solution for this;
class.fireboard.php
Found :
[code:1]
// now the only remaining whitespace attacks are t, n, and r
$ra1 = Array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'blink', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound');
[/code:1]
Replace
[code:1]
// now the only remaining whitespace attacks are t, n, and r
$ra1 = Array('javascript');
[/code:1]
|
|
|
Logged
|
|
|
Last Edit: 2007/09/08 23:26 By greendino.
|
|
|
The administrator has disabled public write access.
|
|
|
Re:_link_ and _layer_ 1 Year, 1 Month ago
|
|
|
Quick solution works fine for me, but doesn´t this open some security holes?
|
|
Ratman (User)
Fresh Boarder
Posts: 10
|
Logged
|
|
|
The administrator has disabled public write access.
|
|
|
Re:_link_ and _layer_ 1 Year ago
|
|
|
ok i have removed the common words like link, title etc as these were mucking up my site's forum and now works fine. thanks for the prompt fix
however like the person above asked, is this now at risk to security issues?
|
|
|
Logged
|
|
|
Such is Life
|
|
|
The administrator has disabled public write access.
|
|
|
Re:_link_ and _layer_ 1 Year ago
|
|
|
I guess we won't get a direct answer from the developers to this security question. Who want's to tell the world about the security holes in his software?
|
|
birdie60 (User)
Junior Boarder
Posts: 34
|
Logged
|
|
|
The administrator has disabled public write access.
|
|
|
Re:_link_ and _layer_ 1 Year ago
|
|
|
hey ho, danialt already replied to your question.
Without replacing of all these words your Forum may be vulnerable to Cross Site Scripting.
Someone could inject javascript or flash or whatever into your site and collect passwords for example.
I don't think it is the best solution, but one that should work for now.
If you do not like it, delete it, but do not blame the developers if your site gets hacked.
Just my two cents...
|
|
|
Logged
|
|
|
The administrator has disabled public write access.
|
|
|
Re:_link_ and _layer_ 1 Year ago
|
|
|
I replaced
[code:1]function fbReturnDashed (&$string, $key) {
$string = "_".$string."_";
}[/code:1]
with
[code:1]function fbReturnDashed (&$string, $key) {
$string = "".$string."";
}[/code:1]in class.fireboard.php
The soft hyphen is less obtrusive than the underscore. The security is unchanged by this (so I hope at least)
|
|
|
Logged
|
|
|
The administrator has disabled public write access.
|
|
|
Re:_link_ and _layer_ 1 Year ago
|
|
|
Thanks, cosworth! Your variant has helped many Russian users which use me the Russified version FireBoard 1.0.3
|
|
|
Logged
|
|
|
Last Edit: 2007/09/14 22:52 By freedom.
|
|
|
Russified version FireBoard 1.0.3 from freedom-ru.net & joomlao.com
|
|
|
The administrator has disabled public write access.
|
|
|
Favoured: 23
