Page 1 of 3
phpBB HTML MOD
Posted: Sun Nov 13, 2022 6:42 pm
by Random American
Hello.
I still don't recommend that you enable HTML (for massive security reasons) but I found an old MOD that enabled it on phpBB 3.0.x:
https://web.archive.org/web/20090221085 ... f=31&t=535
I also have it as an attachment on my own site if that link doesn't work.
This old code may be useful to port such functionality as an extension. It will not work without updates on new phpBB versions. It must be ported.
Re: phpBB HTML MOD
Posted: Mon Nov 14, 2022 11:21 pm
by axew3
Thank you. I normally do not look into others ways, so i will try to check the code on it maybe only after i finished to see if it is possible to do it in a way i have think to. Should be very easy and light
I will reply asap with news and an explain, the why to me it is secure, and if it is possible to achieve like i think, thank you again see you soon!
Re: phpBB HTML MOD
Posted: Wed Nov 16, 2022 9:36 am
by axew3
Example. An admin that start the post with
[HTMLMARKUP]
will have the post content parsed as html. The placeholder can also be changed, but it is not about security, read inline code comments:
Code: Select all
// © axew3.com
public function viewtopic_modify_post_data($e)
{
$e_rowset = $e['rowset'];
foreach($e_rowset as $p => $pp){
// only if the case we execute this
if ( substr($pp['post_text'], 0, 15) == '<t>[HTMLMARKUP]' ) // ** can be changed to a custom word
{
$sql = "SELECT group_id FROM " . USERS_TABLE . " WHERE user_id = ".$pp['user_id']."";
$res = $this->db->sql_query($sql);
$row = $this->db->sql_fetchrow($res);
$this->db->sql_freeresult($res);
if( $row['group_id'] == 5 ) // only the default user's group considered here, admin in this case
{
$parse_flags = ($pp['bbcode_bitfield'] ? OPTION_FLAG_BBCODE : 0) | OPTION_FLAG_SMILIES;
// ** the HTMLMARKUP placeholder can be changed into something custom, so that only users that know the magic word can add HTML CODE that will be parsed,
// this just avoid that nobody can joke with the thing slowing down the foreach, adding the magic word, even if for him it will never be parsed (it will be anyway secure)...
$e_rowset[$p]['post_text'] = str_replace("[HTMLMARKUP]", "", $pp['post_text'], $count); // $count not used, but could for more complex things
// !! if the post_text will contain also one single bbcode, the following line will NOT let parse as html the subsequent html_entity_decode()
// $e_rowset[$p]['post_text'] = generate_text_for_display($e_rowset[$p]['post_text'], $pp['bbcode_uid'], $pp['bbcode_bitfield'], $parse_flags, true);
$e_rowset[$p]['post_text'] = html_entity_decode($e_rowset[$p]['post_text']);
}
}
}
$e['rowset'] = $e_rowset;
unset($e_rowset);
}
i will install here at axew3.com as ready, with the challenge: 300$ to who is capable to show how it could be exploited
Do not waste your time, it is impossible.
This is stupid code. For this cannot be exploited. It KISS
p.s something into the flow need to changed to not waste resources, i will fix this night
It is just a test snippet.
$e_rowset = $e['rowset']; assignment need to be done only when it is required because a topic post contain the magic word, and not ever.
Stay tuned, it will be cool
Re: phpBB HTML MOD
Posted: Wed Nov 16, 2022 2:33 pm
by Random American
Sorry, I'm a novice when it comes to php, so I don't think I can validate your code.
Re: phpBB HTML MOD
Posted: Wed Nov 16, 2022 11:40 pm
by axew3
Ok, i have try to check several ways and the result is that this solution is the best.
It is fast and secure.
It was only a problem about if the post contain bbcode. Then the html would not be parsed.
So, if into my html post i want to display an existent bbcode to explain something about it or just because i like to do so, how should i do?
using entities:
[ is [
[ is ]
so
Code: Select all
[b]test me i want to show bbcode tag into my html[/b]
the result will be this:
Code: Select all
[b]test me i want to show bbcode tag into my html[/b]
Nice hidden jokes can be done in phpBB, you do not think?
The resume of all thoughts about HTML on phpBB posts, wow, is that the code in the function above will work ever fine, and is perfect as is.
The extension will be released tomorrow fixed under any aspect. It is perfect at first try
Re: phpBB HTML MOD
Posted: Thu Nov 17, 2022 11:23 am
by HackerJoe
<a href="/contact" aria-label="If you find that you need additional
assistance in navigating or accessing the content of this website,
please call our customer service toll free number 1-800-666-8654309" title="If
you find that you need additional assistance in navigating or accessing
the content of this website, please call our customer service
toll free number 1-800-666-8654309">
Contact
</a>
<a href="/login" aria-label="If you find that you need additional assistance in navigating or accessing the content of this website, please call our customer service toll free number 1-800-666-8654309" title="If you find that you need additional assistance in navigating or accessing the content of this website, please call our customer service toll free number 1-800-666-8654309">
Login
</a>