phpBB HTML on posts extension (HTML/Javascript parsed into phpBB posts)
Posted: Wed Dec 07, 2022 8:43 pm
Read ALL this and download into the next post on this topic
Installation
Copy the extension to phpBB/ext/w3all/htmlposts
then go to ACP -> Customize -> Manage extensions
and activate the Html on posts extension.
viewtopic.php?p=5910#p5910
What it do?
It allow to add HTML/Javascript code into phpBB posts and parse the content.
So it is very important that you allow to use this feature only to well knows and specified users IDS or you'll expose your board to high security risks.
Who can post HTML expecting it will be parsed?
Only specified users IDS.
Is it safe?
What it happen if an user that have no rights to add HTML into posts, but have rights to edit posts (like a moderator) go to add malicious javascript code into a post which he is not the author of?
Nothing, the html post will not be saved after it has been edited.
But it is not the unique security check. A post cannot be parsed as HTML if the author is not an allowed users. Nor updated.
How i can add allowed users IDS, that so can add HTML on posts, expecting that their posts contents are parsed as HTML?
Open: /ext/w3all/htmlposts/event/main_listener.php
search for this line:
add comma-separated user IDs and remember: an user authorized to post/parse HTML who adds malicious code, can endanger the phpBB security!
How a post become an HTML post?
The post need to start (the very first characters of the post, no spaces or something else) with this placeholder
All the HTML or Javascript code found into the post will be so parsed as HTML.
How i can add HTML or Javascript into my posts?
Just use HTML tags. Be careful and sure to add all closing tags, or the topic page will result malformed when parsed.
Also note: if you want to render a text in more lines, wrap it into a <p> or <div> tag (or any other tag you want), and add the <br> to break lines. Any text NOT wrapped into a tag, will be cleaned up of any br tag and text will result into one single line!
Can i add BBCode or smilies into the Html post?
No, any BBCode or smile will be stripped.
Can i add/use Javascript or jQuery?
Yes Javascript, but if you want to use libraries like jQuery or something else, then be sure that have been included on the header and not on footer (as it is in phpBB by default) or jQuery will not work. Posts are parsed before the phpBB footer, so it is necessary to enqueue the jQuery library before the posts parsing (on phpBB header, not on footer).
When the HTML extension may will be uninstalled, you can remove all HTML posts searching for the string:
[HTMLMARKUP]
and delete posts.
Follow an easy example of a common html snippet and the extension download.
The example code on next post is just this, the <iframe> code you see, come from the Youtube Embed button share option, that appear when you click on the Share button. Just click on it and copy (i just substituted width and height attribute value to accomplish to what i want to display here, so changed into width="100%" height="100%):
Installation
Copy the extension to phpBB/ext/w3all/htmlposts
then go to ACP -> Customize -> Manage extensions
and activate the Html on posts extension.
viewtopic.php?p=5910#p5910
What it do?
It allow to add HTML/Javascript code into phpBB posts and parse the content.
So it is very important that you allow to use this feature only to well knows and specified users IDS or you'll expose your board to high security risks.
Who can post HTML expecting it will be parsed?
Only specified users IDS.
Is it safe?
What it happen if an user that have no rights to add HTML into posts, but have rights to edit posts (like a moderator) go to add malicious javascript code into a post which he is not the author of?
Nothing, the html post will not be saved after it has been edited.
But it is not the unique security check. A post cannot be parsed as HTML if the author is not an allowed users. Nor updated.
How i can add allowed users IDS, that so can add HTML on posts, expecting that their posts contents are parsed as HTML?
Open: /ext/w3all/htmlposts/event/main_listener.php
search for this line:
Code: Select all
$this->uids_html_allowed_ary = array(); // if you want to add HTML allowed user's IDS, do it in this way: array(48,625,34,765);
add comma-separated user IDs and remember: an user authorized to post/parse HTML who adds malicious code, can endanger the phpBB security!
How a post become an HTML post?
The post need to start (the very first characters of the post, no spaces or something else) with this placeholder
Code: Select all
[HTMLMARKUP]
How i can add HTML or Javascript into my posts?
Just use HTML tags. Be careful and sure to add all closing tags, or the topic page will result malformed when parsed.
Also note: if you want to render a text in more lines, wrap it into a <p> or <div> tag (or any other tag you want), and add the <br> to break lines. Any text NOT wrapped into a tag, will be cleaned up of any br tag and text will result into one single line!
Can i add BBCode or smilies into the Html post?
No, any BBCode or smile will be stripped.
Can i add/use Javascript or jQuery?
Yes Javascript, but if you want to use libraries like jQuery or something else, then be sure that have been included on the header and not on footer (as it is in phpBB by default) or jQuery will not work. Posts are parsed before the phpBB footer, so it is necessary to enqueue the jQuery library before the posts parsing (on phpBB header, not on footer).
When the HTML extension may will be uninstalled, you can remove all HTML posts searching for the string:
[HTMLMARKUP]
and delete posts.
Follow an easy example of a common html snippet and the extension download.
The example code on next post is just this, the <iframe> code you see, come from the Youtube Embed button share option, that appear when you click on the Share button. Just click on it and copy (i just substituted width and height attribute value to accomplish to what i want to display here, so changed into width="100%" height="100%):
Code: Select all
[HTMLMARKUP]<script>alert('Hi there!\nThis is Html on posts\nEasy\nSecure\nPowerful!');
console.log('test html extension js on post');
</script>
<h4 style="padding:10px;font-family:verdana;">Hello<br />... the output is correctly parsed also for javascript written in more lines
</h4>
<table style="width:100%;text-align:center;margin:0; padding:0px;border-collapse: collapse;"><tr><td style="max-width:25%"><iframe width="100%" height="100%" src="https://www.youtube.com/embed/4FG-106Opxg?controls=0" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></td><td style="max-width:25%"><iframe width="100%" height="100%" src="https://www.youtube.com/embed/K5zP7eQltDE" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></td><td style="max-width:25%"><iframe width="100%" height="100%" src="https://www.youtube.com/embed/LanCLS_hIo4?controls=0" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></td><td style="max-width:25%"><iframe width="100%" height="100%" src="https://www.youtube.com/embed/aGMejPNlcIo" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></td></tr></table>
<table style="width:100%;text-align:center;margin:0; padding:0px;border-collapse: collapse;"><tr>
<td style="max-width:50%"><iframe width="100%" height="100%" src="https://www.youtube.com/embed/dV67vnRNMOA?controls=0" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></td>
<td style="max-width:50%"><iframe width="100%" height="100%" src="https://www.youtube.com/embed/UmFFTkjs-O0" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></td>
</tr></table>
<table style="width:100%;text-align:center;margin:0; padding:0px;border-collapse: collapse;"><tr>
<td style="max-width:25%"><iframe width="100%" height="100%" src="https://www.youtube.com/embed/j2s8yGMEbSs" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></td><td style="max-width:25%"><iframe width="100%" height="100%" src="https://www.youtube.com/embed/EfK-WX2pa8c" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></td><td style="max-width:25%"><iframe width="100%" height="100%" src="https://www.youtube.com/embed/hnpILIIo9ek" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></td>
<td style="max-width:25%"><iframe width="100%" height="100%" src="https://www.youtube.com/embed/VAVER-QBEyI?controls=0" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></td>
</tr></table>