1. Forums
  3. Archive
  5. CB
  7. CB 1.0
  9. CB Newbies
  11. Security Issue: Text fields

Security Issue: Text fields

17 years 10 months ago #15393 by arobb
Security Issue: Text fields was created by arobb
Hey boarders,

My users are getting creative with their profiles. They've been creating their own style sheet and uploading it to a free public server, and then inserting a CSS tag into one of the text fields/areas in their CB profile.

This feature creates two problems:
1. It's cross-site scripting; a severe concern for every web developer. These tags could eventually lead to the exploitation of other users' profiles (eg: changing another user's password/email without them knowing) or the exploitation of the server itself (eg: manipulating the MySQL database).
2. It interferes with the site's atmosphere and brand. The layout for both their profiles and the userlist becomes severely butchered.

These abilities should be a concern of all CB users. So, now we have to ask, what can we do to disable these features/bugs and parse all text?

Thanks everybody.

Post edited by: arobb, at: 2006/06/16 01:39

Please Log in to join the conversation.

17 years 10 months ago #15415 by beat
Replied by beat on topic Re:Security Issue: Text fields
Text fields themselves are safe, as all html code is displayed as is.

You mean probably the Editor Text Area type field (aka "Creative Field")...

Yes, you are right, it is a field type, which shouldn't be given for free editing to general public, as it allows to insert any kind of nice and bad html code !

The only way you have to control what's inside, is to chose and parameter an html editor which does not allow to edit the html code, is restrictive in the tags allowed, and does not work at all when browser's JavaScript is disabled...

Anybody knowing an editor doing that ?
Beat - Community Builder Team Member

Before posting on forums: Read FAQ thoroughly -- Help us spend more time coding by helping others in this forum, many thanks :)
CB links: Our membership - CBSubs - Templates - Hosting - Forge - Send me a Private Message (PM) only for private/confidential info

Please Log in to join the conversation.

17 years 10 months ago #15425 by silexian
Replied by silexian on topic Re:Security Issue: Text fields
hi beat

i have added an artefact on the Joomla Forge concerning text that may be offensive (in the connection texts).

(How about the other artefacts i have added ?)
help me decrease my Karma ! i AM a bad boy ;) Hurry up or i'm gonna eat your soul :p

Please Log in to join the conversation.

Moderators: beatnantkrileon
  1. Forums
  3. Archive
  5. CB
  7. CB 1.0
  9. CB Newbies
  11. Security Issue: Text fields
Time to create page: 0.206 seconds

Facebook Twitter LinkedIn

    You are here:  
  1. Home
  2. Forums
  3. Archive
  4. CB
  5. CB 1.0
  6. CB Newbies
  7. Security Issue: Text fields

Search

Login / Logout

User Menu