phpBB HTML MOD

[Random American]

Hello.

I still don't recommend that you enable HTML (for massive security reasons) but I found an old MOD that enabled it on phpBB 3.0.x: https://web.archive.org/web/20090221085 ... f=31&t=535

I also have it as an attachment on my own site if that link doesn't work.

This old code may be useful to port such functionality as an extension. It will not work without updates on new phpBB versions. It must be ported.

[axew3]

Thank you. I normally do not look into others ways, so i will try to check the code on it maybe only after i finished to see if it is possible to do it in a way i have think to. Should be very easy and light
I will reply asap with news and an explain, the why to me it is secure, and if it is possible to achieve like i think, thank you again see you soon!

[axew3]

Example. An admin that start the post with
[HTMLMARKUP]
will have the post content parsed as html. The placeholder can also be changed, but it is not about security, read inline code comments:

Code: Select all

  // © axew3.com
  public function viewtopic_modify_post_data($e)
  {
    $e_rowset = $e['rowset'];
      foreach($e_rowset as $p => $pp){ 
      // only if the case we execute this
     if ( substr($pp['post_text'], 0, 15) == '<t>[HTMLMARKUP]' )  // ** can be changed to a custom word
     {
       $sql = "SELECT group_id FROM " . USERS_TABLE . " WHERE user_id = ".$pp['user_id']."";
        $res = $this->db->sql_query($sql);
        $row = $this->db->sql_fetchrow($res);
        $this->db->sql_freeresult($res);
      
       if( $row['group_id'] == 5 ) // only the default user's group considered here, admin in this case
       { 
       	 $parse_flags = ($pp['bbcode_bitfield'] ? OPTION_FLAG_BBCODE : 0) | OPTION_FLAG_SMILIES;
       	 // ** the HTMLMARKUP placeholder can be changed into something custom, so that only users that know the magic word can add HTML CODE that will be parsed,
       	 // this just avoid that nobody can joke with the thing slowing down the foreach, adding the magic word, even if for him it will never be parsed (it will be anyway secure)...
         $e_rowset[$p]['post_text'] = str_replace("[HTMLMARKUP]", "", $pp['post_text'], $count); // $count not used, but could for more complex things
          // !! if the post_text will contain also one single bbcode, the following line will NOT let parse as html the subsequent html_entity_decode()
          // $e_rowset[$p]['post_text'] = generate_text_for_display($e_rowset[$p]['post_text'], $pp['bbcode_uid'], $pp['bbcode_bitfield'], $parse_flags, true);
         $e_rowset[$p]['post_text'] = html_entity_decode($e_rowset[$p]['post_text']);
        }
      }
     }
     
   $e['rowset'] = $e_rowset;
   unset($e_rowset);
  }

i will install here at axew3.com as ready, with the challenge: 300$ to who is capable to show how it could be exploited
Do not waste your time, it is impossible.
This is stupid code. For this cannot be exploited. It KISS

p.s something into the flow need to changed to not waste resources, i will fix this night
It is just a test snippet.
$e_rowset = $e['rowset']; assignment need to be done only when it is required because a topic post contain the magic word, and not ever.

Stay tuned, it will be cool

[Random American]

Sorry, I'm a novice when it comes to php, so I don't think I can validate your code.

[axew3]

Ok, i have try to check several ways and the result is that this solution is the best.
It is fast and secure.
It was only a problem about if the post contain bbcode. Then the html would not be parsed.
So, if into my html post i want to display an existent bbcode to explain something about it or just because i like to do so, how should i do?
using entities:
[ is [
[ is ]
so

Code: Select all

[b]test me i want to show bbcode tag into my html[/b]

the result will be this:

Code: Select all

[b]test me i want to show bbcode tag into my html[/b]

Nice hidden jokes can be done in phpBB, you do not think?
The resume of all thoughts about HTML on phpBB posts, wow, is that the code in the function above will work ever fine, and is perfect as is.
The extension will be released tomorrow fixed under any aspect. It is perfect at first try

[HackerJoe]

<a href="/contact" aria-label="If you find that you need additional
assistance in navigating or accessing the content of this website,
please call our customer service toll free number 1-800-666-8654309" title="If
you find that you need additional assistance in navigating or accessing
the content of this website, please call our customer service
toll free number 1-800-666-8654309">
Contact
</a>
<a href="/login" aria-label="If you find that you need additional assistance in navigating or accessing the content of this website, please call our customer service toll free number 1-800-666-8654309" title="If you find that you need additional assistance in navigating or accessing the content of this website, please call our customer service toll free number 1-800-666-8654309">
Login
</a>

[axew3]

... Your post has been validated as is, but i am sorry for you...
You do not belong to admin group, nor to a group allowed to parse phpBB posts as html.
...<b> your post is not parsed as html, but like phpBB normal post</b>.
Who is in charge to archive the post is the native phpBB code, not the extension code. The extension code just let parse a post as html, if you as author are allowed to do so (and you added the placeholder on post).
Are you an admin here? or a moderator that can edit posts (**so that could put malicious code into the post... it will be fixed next 1.0.1).

I forget to mention that the post DO NOT NEED to contain bbcode and/or <b>SMILIES</b>! Or the post will be parsed as pure text!

If anybody able to exploit this, i will paypal 300$.
I make it easier for you: the placeholder is the default here.

Ps** about unique security risk i see: the unique problem that can come out, is that if a post is by an admin, then a moderator (which should not be allowed to edit the html post) go to edit it and putting on it some malicious code.
It also will be fixed, the post containing html code to be parsed will be allowed to be edited only if the user belong to admin group, or the user id is one of the allowed to post/edit html, and not if is just moderator allowed to edit posts.

I am thinking to add feature by IDS. Only specified user's IDS and admins, will be allowed to have posts parsed as html when they need or to edit.
Should be nice.

[axew3]

So, to finalize the concept why, many had think that html on phpBB was not safe, is mainly due to a problem i have after think about:

how to avoid the problem that an user, allowed to parse html on posts, go to insert a new html post, then a moderator come to edit his post, adding more malicious code?

The solution to this could be a flag added into post's data arrays using a listener, that after let detect if it is an html post or not, and if a moderator so, can or not edit it.
OR, instead, another easy solution that i will apply will this:
since it has been added an array of usersIDS to detect that an user, beside if he is admin, or normal user, can or not add html on posts, then if/when an user that do not belong to admins group, or do not have the ID into the html allowed users array, then when he will go to edit a post containing the [HTMLMARKUP] tag, and will go to save it, the post will be cleaned up by any htmlplaceholder.
Problem resolved. His edit on html posts will have no effect.
Unique misleading behavior is that if a moderator go to edit an html post which should not, because his id is not on the array of allowed users, and it contain the html placeholder, then the post will be cleaned up of html tags. And his malicious intent will fail.
When the admin will discover that his post is not anymore html due to an edit by a moderator, may he will know that it is time to ban this user.

This will demonstrate that safe html on phpBB posts is very possible. It is coming 1.0.1.
Stay tuned lovely and cool people.

[axew3]

Yes, the problem has been resolved.
Adding userIDs allowed to parse html on posts, it is possible to cleanup the post text from the html placeholder, if the user is not an admin or his user ID do not belong to the array of users allowed to parse html.
It has been really easy.

a code comment say this (on coming 1.0.1)

// the only inconsistency is that if a moderator edits a post of a user who has permission to execute html on the post:
// the html on post will be nullified, because any html placeholders will be removed from the post before to be stored
// NOBODY but admins and usersIDS on 'uids_html_allowed_ary' can post the Html markup placeholder

That is.

[axew3]

1.0.1 is coming, i like to log how it work the whole thing and how it has been possible to make it safe to be used, also when a moderator could edit a post that contain the [HTMLMARKUP] placeholder, adding malicious code on it.

How it has been resolved?
The whole logic do this:

When a post is inserted, **if the user that is posting do NOT belong to admins, or to the array of user's IDS allowed to use the [HTMLMARKUP] placeholder into phpBB posts, the post will be cleaned UP of all [HTMLMARKUP] placeholders.
But the security is not limited to this.
When a request is done to phpBB to display a post, it will be parsed as HTML only if the user that posted the post, BELONG to admins group, or the poster userID exist into the array of user's IDS allowed to manage html into phpBB posts.

**
What about if a moderator go to edit an admin post or a post of an userID allowed to parse posts as html, injecting malicious code?
Nothing will happen. The post will be cleaned up of any [HTMLMARKUP] placeholders, and the post will become a normal post.

No way to get out by this situation. HTML posts into phpBB is now possible.
Many said phpBB html posts was/is not safe...
Stay tuned ... it will be cool

[axew3]

I liked to move the code of the HTML on posts to the next step in few lines of code, it allows to parse HTML only to ADMINS group, and all users that are into the allowed passed UIDS array.

Only these users can add the [HTMLMARKUP]. Any other that attempt to add into a post and is not allowed cause that the post is cleaned up of the (any) [HTMLMARKUP] placeholder.
Any other user allowed to edit posts, that will attempt to edit a post with [HTMLMARKUP] placeholder, if do not belong to admins or allowed array of userIDS (even if a moderator) will cause that the post will be cleaned up from the html placeholdrer, so that the post will return to be a normal post, parsed by phpBB in the common way.

I liked also, in really few lines, to cleanup the html markup so to have the ability to post something like this (the embed share code from youtube):

Code: Select all

<iframe width="560" height="315" src="https://www.youtube.com/embed/MmOau-PMWJk" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
<script>alert('It must have been an angel come down from above');
</script>

<p style="text-align:center;font-size:120%;padding:20px;">I liked to add also this!</p>

<iframe width="560" height="315" src="https://www.youtube.com/embed/wqFeYSCDXzY" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>

note that the javascript come in two lines and normally phpBB parsing functions, would add so a tag <br /> that make it fail the parsing of the code, the result would be this:

Code: Select all

<script>alert('I have youtube any any html embedded into a post');
<br />
</script>

It has been resolved, and the code perform more basic cleanups but may something more need to be fixed.
It work any test i did at moment, the 1.0.1 will so soon released after some little more test.
This is not an HTML post, but next in reply will be, using same code as the example above. It start with [HTMLMARKUP] and only my user and the admins group can edit the post adding something wrong.

[axew3]

I liked to add also this!

[axew3]

Let test 4 together with just this code on next post:
the <iframe> code you see, come from the Youtube Embed button share option, that appear when you click on the Share button. Just click on it and copy (i just substituted width and height attribute value to accomplish to what i want to display here, so changed into width="100%" height="100%)

Code: Select all

[HTMLMARKUP] 
<table style="width:100%;text-align:center;margin:0; padding:0px;"><tr>
<td style="max-width:25%"><iframe width="100%" height="100%" src="https://www.youtube.com/embed/4FG-106Opxg?controls=0" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></td>
<td style="max-width:25%"><iframe width="100%" height="100%" src="https://www.youtube.com/embed/JvLMRwJDiRc?controls=0" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></td>
<td style="max-width:25%"><iframe width="100%" height="100%" src="https://www.youtube.com/embed/LanCLS_hIo4?controls=0" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></td>
<td style="max-width:25%"><iframe width="100%" height="100%" src="https://www.youtube.com/embed/JPjyue81qhU?controls=0" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></td>
</tr></table>

<table style="width:100%;text-align:center;margin:0; padding:0px;"><tr>
<td style="max-width:50%"><iframe width="100%" height="100%" src="https://www.youtube.com/embed/dV67vnRNMOA?controls=0" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></td>
<td style="max-width:50%"><iframe width="100%" height="100%" src="https://www.youtube.com/embed/VAVER-QBEyI?controls=0" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></td>  
</tr></table>

[axew3]

[axew3]

So what about if we want the post to be parsed as html, but in between we want also pure text?
Cleaning up any <br> tag spaces or something else, will result that the text will be not readable.
The problem has been resolved this way (look that also the script written in more lines will work fine):

if we want to write text and not html or javascript, then we'll do like this:

Code: Select all

[HTMLMARKUP]  
test that this is <b>htmlcode</b>
[HTMLTEXT]
my text
in 
more lines
<p>text me<br> with a <br/> br tag</p>
this is not parsed as html
[/HTMLTEXT]

<h1>ok!</h1>
<b>test me! again</b>
<p style="text-align:center">test</p>fdfbdsf dge geddd
[HTMLTEXT]
<p>test me <br>and br here<br>and here</p>
this is not parsed as html
[/HTMLTEXT]
sasdadsadsasasadsdas

[HTMLTEXT]
<p>bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb</p>
this is not parsed as html
[/HTMLTEXT]

<table style="width:100%;text-align:center;margin:0; padding: 10px;"><tr>
<td style="max-width:25%"><iframe width="100%" height="100%" src="https://www.youtube.com/embed/xdx-WGUqx2A?controls=0" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></td>
<td style="max-width:25%"><iframe width="100%" height="100%" src="https://www.youtube.com/embed/xdx-WGUqx2A?controls=0" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></td>
<td style="max-width:25%"><iframe width="100%" height="100%" src="https://www.youtube.com/embed/xdx-WGUqx2A?controls=0" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></td>
<td style="max-width:25%"><iframe width="100%" height="100%" src="https://www.youtube.com/embed/xdx-WGUqx2A?controls=0" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></td>
</tr></table>

<br><br>
<script>alert('WoW!');
</script>
<iframe width="560" height="315" src="https://www.youtube.com/embed/xdx-WGUqx2A?controls=0" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
 
<a href="test.com">test link</a>  
<b> and bolder</b>

Stay tuned lovely and cool people, you never seen an html editor within a phpBB post done so easily!
The html on posts extension will be released very soon!

viewtopic.php?t=1769

[axew3]

1.0.1 has been released, enjoy here:
viewtopic.php?t=1776

[Random American]

Thanks, though I personally will never use it, as I see no reason to use HTML outside of an HTML or php page.

[axew3]

Well, yes or no, without using an extension, you could achieve results that you may wants only in certain cases, to show something into a post or to start a topic. The code also show that it is possible to add (safely) HTML on posts.

If the HTML extension is then uninstalled,is possible to remove all HTML posts searching for posts containing the string
[HTMLMARKUP]

maybe not so useful if not for some very particular case!