Cael

Members
  • Content count

    11
  • Joined

  • Last visited


About Cael

  • Rank
    IPB Newbie

Contact Methods

Profile Information

  • Gender Male
  • Interests World domination

Cael's Activity

  1. Cael added a record in IP.Board   

    Strange handling of code tags
    There are a couple of strange things happening to code tags, including html and php tags. I think I may have just found another potential XSS vector, but I could be wrong.

    First off: if I click the [img]http://content.community.invisionpower.com/public/js/3rd_party/ckeditor/plugins/ipsbbcode/images/ips_bbcode.png[/img] icon in the wysiwyg editor, select 'code', 'php' or 'html', and input something, what I input will be parsed rather than displayed in the editor. For instance, if I input HTML to display an image, the editor will display the image, rather than the HTML to display that image. Switching between the wysiwyg and non-wysiwyg editors a few times will further screw the code up.

    If I then post it, it won't be parsed, but converted to bbcode (sometimes badly). It's generally broken in a large number of ways.

    Secondly: if I post a link inside code tags, that link will be shortened as per IPB's usual url shortening system thingy. This can break the code inside the code tags, and I think it'd be nice to disable it altogether for code tags.

    Example:
    [html]<img src='http://content.community.invisionpower.com/public/js/3rd_party/ckeditor/plugins/ipsbbcode/images/ips_bbcode.png' /> [/html]

    I think a way to post private bug reports would be nice too, for potential XSS exploits for instance. Just a suggestion.
    • 0 replies
    • 0 views

About Me

Sometimes a web designer. Sometimes Batman. Other times, a lurker with an IP.Board license.

Status Feed