phpBB HTML MOD

Random American
User w
User w
Posts: 7
Joined: Tue Oct 27, 2020 5:52 pm

phpBB HTML MOD

Post by Random American »

Hello.

I still don't recommend that you enable HTML (for massive security reasons) but I found an old MOD that enabled it on phpBB 3.0.x: https://web.archive.org/web/20090221085 ... f=31&t=535

I also have it as an attachment on my own site if that link doesn't work.

This old code may be useful to port such functionality as an extension. It will not work without updates on new phpBB versions. It must be ported.
User avatar
axew3
w3all User
w3all User
Posts: 2689
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: phpBB HTML MOD

Post by axew3 »

Thank you. I normally do not look into others ways, so i will try to check the code on it maybe only after i finished to see if it is possible to do it in a way i have think to. Should be very easy and light :!: :?:
I will reply asap with news and an explain, the why to me it is secure, and if it is possible to achieve like i think, thank you again see you soon!
User avatar
axew3
w3all User
w3all User
Posts: 2689
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: phpBB HTML MOD

Post by axew3 »

Example. An admin that start the post with
[HTMLMARKUP]
will have the post content parsed as html. The placeholder can also be changed, but it is not about security, read inline code comments:

Code: Select all

  // © axew3.com
  public function viewtopic_modify_post_data($e)
  {
    $e_rowset = $e['rowset'];
      foreach($e_rowset as $p => $pp){ 
      // only if the case we execute this
     if ( substr($pp['post_text'], 0, 15) == '<t>[HTMLMARKUP]' )  // ** can be changed to a custom word
     {
       $sql = "SELECT group_id FROM " . USERS_TABLE . " WHERE user_id = ".$pp['user_id']."";
        $res = $this->db->sql_query($sql);
        $row = $this->db->sql_fetchrow($res);
        $this->db->sql_freeresult($res);
      
       if( $row['group_id'] == 5 ) // only the default user's group considered here, admin in this case
       { 
       	 $parse_flags = ($pp['bbcode_bitfield'] ? OPTION_FLAG_BBCODE : 0) | OPTION_FLAG_SMILIES;
       	 // ** the HTMLMARKUP placeholder can be changed into something custom, so that only users that know the magic word can add HTML CODE that will be parsed,
       	 // this just avoid that nobody can joke with the thing slowing down the foreach, adding the magic word, even if for him it will never be parsed (it will be anyway secure)...
         $e_rowset[$p]['post_text'] = str_replace("[HTMLMARKUP]", "", $pp['post_text'], $count); // $count not used, but could for more complex things
          // !! if the post_text will contain also one single bbcode, the following line will NOT let parse as html the subsequent html_entity_decode()
          // $e_rowset[$p]['post_text'] = generate_text_for_display($e_rowset[$p]['post_text'], $pp['bbcode_uid'], $pp['bbcode_bitfield'], $parse_flags, true);
         $e_rowset[$p]['post_text'] = html_entity_decode($e_rowset[$p]['post_text']);
        }
      }
     }
     
   $e['rowset'] = $e_rowset;
   unset($e_rowset);
  }

i will install here at axew3.com as ready, with the challenge: 300$ to who is capable to show how it could be exploited :D
Do not waste your time, it is impossible.
This is stupid code. For this cannot be exploited. It KISS

p.s something into the flow need to changed to not waste resources, i will fix this night
It is just a test snippet.
$e_rowset = $e['rowset']; assignment need to be done only when it is required because a topic post contain the magic word, and not ever.

Stay tuned, it will be cool ;)
Random American
User w
User w
Posts: 7
Joined: Tue Oct 27, 2020 5:52 pm

Re: phpBB HTML MOD

Post by Random American »

Sorry, I'm a novice when it comes to php, so I don't think I can validate your code.
User avatar
axew3
w3all User
w3all User
Posts: 2689
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: phpBB HTML MOD

Post by axew3 »

Ok, i have try to check several ways and the result is that this solution is the best.
It is fast and secure.
It was only a problem about if the post contain bbcode. Then the html would not be parsed.
So, if into my html post i want to display an existent bbcode to explain something about it or just because i like to do so, how should i do?
using entities:
&#91; is [
&#91; is ]
so

Code: Select all

&#91;b&#93;test me i want to show bbcode tag into my html&#91;/b&#93;
the result will be this:

Code: Select all

[b]test me i want to show bbcode tag into my html[/b]
Nice hidden jokes can be done in phpBB, you do not think?
The resume of all thoughts about HTML on phpBB posts, wow, is that the code in the function above will work ever fine, and is perfect as is.
The extension will be released tomorrow fixed under any aspect. It is perfect at first try
HackerJoe

Re: phpBB HTML MOD

Post by HackerJoe »

<a href="/contact" aria-label="If you find that you need additional
assistance in navigating or accessing the content of this website,
please call our customer service toll free number 1-800-666-8654309" title="If
you find that you need additional assistance in navigating or accessing
the content of this website, please call our customer service
toll free number 1-800-666-8654309">
Contact
</a>
<a href="/login" aria-label="If you find that you need additional assistance in navigating or accessing the content of this website, please call our customer service toll free number 1-800-666-8654309" title="If you find that you need additional assistance in navigating or accessing the content of this website, please call our customer service toll free number 1-800-666-8654309">
Login
</a>
Post Reply