- Joined
- Nov 23, 2014
- Messages
- 15,144
- Trophies
- 0
- Location
- Canberra, Australia
- Website
- boot9strap.com
- XP
- 11,119
- Country
Just filter bad code out like iframe and script. That's what AcmlmBoard does.Allowing posting HTML is a bad idea, since by extension it allows posting whatever JS scripts you want, which can do dangerous things.
It's not that simple. Sure you can strip out script tags, but can all of the onWhatever attributes be stripped out? Can it be guarenteed that all new onWhatever attributes added to browsers can be filtered out? Allowing up HTML posting opens the door to either security vulnerabilities or requires impecable filtering considering the entire HTML standard.Just filter bad code out like iframe and script. That's what AcmlmBoard does.
Good point, actually.It's not that simple. Sure you can strip out script tags, but can all of the onWhatever attributes be stripped out? Can it be guarenteed that all new onWhatever attributes added to browsers can be filtered out? Allowing up HTML posting opens the door to either security vulnerabilities or requires impecable filtering considering the entire HTML standard.
Are you in control of bb code or does that come from somewhere else? It would be nice to be able to place elements next to each other and also resize images. If you're getting an image from an outside url you don't have the ability to change the size.It is not possible to use HTML in posts or signatures, no.
We have a large list of BBcode that should cover a lot of use cases, though.
I have no experience with Xenforo personally, but all other forum softwares allow you to add custom bbcode, so I would assume Xenforo does as well.Are you in control of bb code or does that come from somewhere else? It would be nice to be able to place elements next to each other and also resize images. If you're getting an image from an outside url you don't have the ability to change the size.