Discuss mailing list

[Al Beano <albino AT autistici.org>]

What about [b onclick="myevilscript()"]?

Use a proper BBCode library, there's scope for so much to go wrong if you do 
it yourself. 

On 12 September 2017 04:21:34 BST, "Dmitry S. Nikolaev" <dn AT mega-net.ru> 
wrote:
>If you want to allow to use HTML tags, so do it by replacement to
>bbcodes.
><b>to [b]
><div> to [div]
>and so on + always use htmlspecialchars function on all user input.
>
>It`s safe to use this way.
>
>
>With best regards, Dmitry S. Nikolaev
>
>Moscow, Russia
>phone: +7 (499) 678 8007 [ext. 6003]
>fax: +7 (499) 678 8007 [ext. 7777]
>www: http://www.mega-net.ru
>mail: dnikolaev AT mega-net.ru
>SIP URI: dnikolaev AT sip.mega-net.ru || dn AT sip.mega-net.ru
>
>On 11.09.2017 20:31, Jeff Taylor wrote:
>> Perhaps, but my mind went to basic HTML tags like <b> and <div>...
>> sure you can enter styles and screw with the page formatting, but
>> otherwise there's nothing dangerous there.
>>
>> Also... was sick, still sick, wasn't thinking clearly.  So as I said,
>> never assume anything is 'obvious'.
>>
>>
>> On 09/11/2017 10:58 AM, Al Beano wrote:
>>> If <marquee> tags are available should it not follow that <script>
>tags and other JS attributes are also allowed?
>>>
>>> On 11 September 2017 17:55:12 BST, Jeff Taylor
><shdwdrgn AT sourpuss.net> wrote:
>>>> I appreciate the offer.  It's not really a matter of not being
>*able*
>>>> to 
>>>> fix it, I'm fairly fluent in PHP and its shortcomings in many of
>its 
>>>> functions that don't quite live up to their names, it's more a
>matter
>>>> of 
>>>> having the problem pointed out to me.  If someone had just said
>"hey we
>>>>
>>>> can enter <script> tags in the fields", it would have immediately 
>>>> clicked that yes, this is a very very bad thing, and I would have
>>>> locked 
>>>> it down right away.
>>>>
>>>>
>>>> On 09/11/2017 02:04 AM, Dmitry S. Nikolaev wrote:
>>>>> Hi Jeff.
>>>>>
>>>>> First of all get well and be healthy.
>>>>>
>>>>> I did not quite understand who did and what did, but I understood
>>>> that 
>>>>> someone hack something.
>>>>> I dont see any discussion about it.
>>>>>
>>>>> If it is PHP code, so maybe I can help you. Write if you need
>help.
>>>> We 
>>>>> will see what we can do.
>>>>>
>>>>> Good luck !
>>>>> With best regards, Dmitry S. Nikolaev
>>>>>
>>>>> Moscow, Russia
>>>>> phone: +7 (499) 678 8007 [ext. 6003]
>>>>> fax: +7 (499) 678 8007 [ext. 7777]
>>>>> www:http://www.mega-net.ru
>>>>> mail:dnikolaev AT mega-net.ru
>>>>> SIP URI:dnikolaev AT sip.mega-net.ru  ||dn AT sip.mega-net.ru
>>>>> On 11.09.2017 07:52, Jeff Taylor wrote:
>>>>>> Last night I got an ear infection plus bad acid reflux and didn't
>
>>>>>> hardly sleep at all.  So you can imagine my state of mind when I
>got
>>>>>> up this morning to find a discussion between T1 and T2 operators 
>>>>>> talking vaguely about an exploit they found in the servers page,
>and
>>>>>> the page itself broken and not providing usable info.  It took me
>
>>>>>> quite awhile to dig through everything and determine exactly what
>>>> was 
>>>>>> done and start working towards repairing the intentional damage.
>>>>>>
>>>>>> OK, it's a fair point that I didn't properly sanitize the input. 
>
>>>>>> However we're talking about a page that has been online for the
>past
>>>>>> two years without any problems, but for some reason you decided
>that
>>>>>> immediate action must be taken right this very second.  And not a
>
>>>>>> single one of you assholes had the courtesy to even send me a PM
>to 
>>>>>> say "hey we found this problem in your page and these are the
>>>> actions 
>>>>>> we took."  Seriously, I know some of you newcomers are in your
>>>> teens, 
>>>>>> but do you really have to ACT like it?  This is a community
>project,
>>>>>> it exists because people in the past have worked *together* to
>solve
>>>>>> problems. It's not a hacking contest to see who can blow up each 
>>>>>> other's contributions.
>>>>>>
>>>>>> There have been a lot of complaints about my code in the past.
>Yes I
>>>>>> write in Bash and PHP, and yes my code isn't going to be the
>easiest
>>>>>> to read.  There's also the constant complaints that I don't post
>my 
>>>>>> code on repo-of-the-week, which I've discussed several times on
>IRC 
>>>>>> but nobody seems to care.  Just how many 'official'
>source-hosting 
>>>>>> pages has opennic been through?  We've been in sourceforge, but
>we 
>>>>>> don't trust them now.  What was the one that did SVN?  And of
>course
>>>>>> there's the numerous local repos that people have run over the
>years
>>>>>> which up and disappear one day without warning.  I've submitted a
>
>>>>>> fair chunk of my code at least twice.  And poof, there's no
>evidence
>>>>>> remaining that it ever existed.
>>>>>>
>>>>>> I have limited time to work on opennic, but I've churned out an 
>>>>>> incredible amount of code for the project over the years.  There
>is 
>>>>>> very little of opennic's infrastructure that I haven't had a hand
>in
>>>>>> or written completely from scratch.  Everybody that comes through
>
>>>>>> always has their own ideas on how things should be done, what
>>>> changes 
>>>>>> need to be made, and yet almost none of those people have
>actually 
>>>>>> contributed anything.  Opennic owes its very existence to those
>few 
>>>>>> people such as myself who have dedicated months or years of 
>>>>>> programming time to provide the services that everyone else uses
>on
>>>> a 
>>>>>> daily basis.  There is a huge amount of code in the background
>that
>>>> I 
>>>>>> personally own and have to troubleshoot when things go wrong.  I 
>>>>>> spend what time I can either fixing the larger problems or trying
>to
>>>>>> set up new code to provide features.  I have dedicated time
>nearly 
>>>>>> daily to making sure things run smoothly or fixing whatever is 
>>>>>> broken, and the thanks I get is "hey lets fuck up his shit and
>see 
>>>>>> how long it takes him to figure it out."  Real mature.
>>>>>>
>>>>>> If anyone wants a copy of my working code, I have always been
>happy 
>>>>>> to provide it.  It may take me some time to get it together, but
>>>> I've 
>>>>>> always given it.  And I would love to have others help clean
>things 
>>>>>> up, especially the registrar code behind reg.for.free. 
>>>> Unfortunately 
>>>>>> the only feedback I have ever gotten is "I don't like your
>standard 
>>>>>> use of single- and double-quotes... here's a rewrite to quote
>things
>>>>>> MY way."  I don't have time to keep learning a new repo system
>every
>>>>>> year or two and I no longer have the patience to care, but if
>>>> someone 
>>>>>> else wants to do the deed I've already mentioned many times that
>I
>>>> am 
>>>>>> happy to help work with them.
>>>>>>
>>>>>> I've been thinking about this all day and I'm still pissed, and 
>>>>>> apparently still can't even coherently express my frustration, so
>>>> let 
>>>>>> me summarize... Grow the fuck up and learn how to actually work
>with
>>>>>> other people who are in different times zones.  People have
>pointed 
>>>>>> out bugs in my code before, and I almost always get them fixed
>>>> within 
>>>>>> a day or two.  Yeah I make mistakes, I know this and I know
>enough
>>>> to 
>>>>>> understand the problem when they are pointed out, assuming you 
>>>>>> actually give me the chance.
>>>>>>
>>>>>>
>>>>>> --------
>>>>>> You are a member of the OpenNIC Discuss list.
>>>>>> You may unsubscribe by
>>>> emailingdiscuss-unsubscribe AT lists.opennicproject.org
>>>>>
>>>>>
>>>>> --------
>>>>> You are a member of the OpenNIC Discuss list.
>>>>> You may unsubscribe by emailing
>>>> discuss-unsubscribe AT lists.opennicproject.org
>>>>
>>>>
>>>>
>>>>
>------------------------------------------------------------------------
>>>>
>>>>
>>>>
>>>> --------
>>>> You are a member of the OpenNIC Discuss list. 
>>>> You may unsubscribe by emailing
>>>> discuss-unsubscribe AT lists.opennicproject.org
>>>
>>>
>>> --------
>>> You are a member of the OpenNIC Discuss list. 
>>> You may unsubscribe by emailing
>discuss-unsubscribe AT lists.opennicproject.org
>>
>>
>>
>>
>> --------
>> You are a member of the OpenNIC Discuss list. 
>> You may unsubscribe by emailing
>discuss-unsubscribe AT lists.opennicproject.org
>
>
>
>------------------------------------------------------------------------
>
>
>
>--------
>You are a member of the OpenNIC Discuss list. 
>You may unsubscribe by emailing
>discuss-unsubscribe AT lists.opennicproject.org