Forum issue: arbitrary styling of DIVs in posts
GordonMcComb
Posts: 3,366
This came up in a now completely trashed (as in severely off-topic) discussion, but it warrants making sure it is properly noted, including the underlying issue which may not have been fully described.
The forum editor allows arbitrary styling of DIV elements, and it should not. By styling, I mean something like <DIV style="...blah"> Some of the styles that can be applied could, at least theoretically, be used to compromise the forum in certain ways, including making a DIV hidden. An example is a spammer putting in text or link but hiding it from potential flagging.
A possible solution is to simply disallow all style= attributes to DIV elements. However, it may require recoding some of the Vanilla parser, if it's not possible to do this as a setting.
The forum editor allows arbitrary styling of DIV elements, and it should not. By styling, I mean something like <DIV style="...blah"> Some of the styles that can be applied could, at least theoretically, be used to compromise the forum in certain ways, including making a DIV hidden. An example is a spammer putting in text or link but hiding it from potential flagging.
A possible solution is to simply disallow all style= attributes to DIV elements. However, it may require recoding some of the Vanilla parser, if it's not possible to do this as a setting.
Comments
https://github.com/vanilla/vanilla/blob/3f8e5c04c20c222fb2e64be1639655a5d0c79fb7/conf/config-defaults.php#L93
The same config can also select a different editor, i.e. BBCode That might actually solve all the problems right there!