For those people operating phpBB with HTML enabled we have been notified by Marvin Massih of a possible cross site scripting issue. It will affect primarily those who have enabled the <a> (anchor tag) but it may impact certain other tags too depending on what functionality they offer.
The problem occurs because users may enter "javascript:" within a given url ... which can of course be used to grab local cookie (for example) information from the client.
At this time we advise everyone with HTML enabled to remove the a tag from the list of allowed tags (Admin Panel -> General -> Configuration -> Allowed tags). There really is no reason to allow the anchor tag anyway, BBCode provides appropriate functionality for linking.
We will continue looking at potential solutions to this but it isn't necessarily a straightforward issue to solve without impacting the very functionality the <a> tag can give you (same applies to any other tag that may be affected).
Of course our advice remains, as it always has, to only enable HTML if you positively, absolutely have no alternative. There are various BBCode Mods available here and elsewhere which offer the functionality of a number of common HTML tags ... while reducing considerably the risk of layout and privacy issues.
_________________ Feed a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.
ScriptHeaven | NukeResources
Zhen-Xjell Nuke Cops Founder
Joined: Nov 14, 2002
Posts: 5939
Posted:
Fri Aug 15, 2003 11:48 am
As good practive the A tag should pretty much be disallowed in the forums.
_________________ Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki]
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
