Get rid of HTML mode?
We've been considering abandoning the HTML markup mode completely from Gossamer Forum. This won't be in the 1.x version, but most likely a change for version 2.0. However, this is only something we have discussed, and we'd like to throw the idea out there to get some feedback from current and future Gossamer Forum members.
For those not familiar, enabling HTML on a forum has always been advised against by us, as it opens some minor security holes and/or DOS (denial of service) potential. A user could, potentially, make an HTML post that closes all the HTML tags used to display a post, and makes it look like someone else posted below them. Or, a user could include Javascript that would put the browser into an infinite javascript alert() loop, forcing the user to kill their browser session. It isn't feasible to check for all the possibilities of malicious intent. Certainly we could strip out the common misuses, but it's highly doubtful we could block every possible attack, simpy due to the huge number of HTML tags and attributes available, and due to the speed at which new attributes and tags are supported. Who know what IE 6.5 (7.0? XP?) will add to the mix?
I'm interested in any feedback anyone has regarding either scrapping the feature for 2.0, or leaving it. Certainly, with the advanced editor (which I notice vBulletin has now copied, calling it the WYSIWYG editor) whether or not you're using Markup or HTML really doesn't matter from the user's point of view.
Jason Rhinelander
Gossamer Threads
jason@gossamer-threads.com
For those not familiar, enabling HTML on a forum has always been advised against by us, as it opens some minor security holes and/or DOS (denial of service) potential. A user could, potentially, make an HTML post that closes all the HTML tags used to display a post, and makes it look like someone else posted below them. Or, a user could include Javascript that would put the browser into an infinite javascript alert() loop, forcing the user to kill their browser session. It isn't feasible to check for all the possibilities of malicious intent. Certainly we could strip out the common misuses, but it's highly doubtful we could block every possible attack, simpy due to the huge number of HTML tags and attributes available, and due to the speed at which new attributes and tags are supported. Who know what IE 6.5 (7.0? XP?) will add to the mix?
I'm interested in any feedback anyone has regarding either scrapping the feature for 2.0, or leaving it. Certainly, with the advanced editor (which I notice vBulletin has now copied, calling it the WYSIWYG editor) whether or not you're using Markup or HTML really doesn't matter from the user's point of view.
Jason Rhinelander
Gossamer Threads
jason@gossamer-threads.com
Get rid of HTML mode?