Discuss mailing list

["Dmitry S. Nikolaev" <dn AT mega-net.ru>]

Hi Al.

And what about this ? If you are talking about existing code - provide full code.
If you are talking in the abstract - I don`t understood what you mean.

Ofc that you need "straight hands" and "brain not in the ass" :) when you doing by yourself.

With best regards, Dmitry S. Nikolaev

Moscow, Russia
phone: +7 (499) 678 8007 [ext. 6003]
fax: +7 (499) 678 8007 [ext. 7777]
www: http://www.mega-net.ru
mail: dnikolaev AT mega-net.ru
SIP URI: dnikolaev AT sip.mega-net.ru || dn AT sip.mega-net.ru

On 12.09.2017 09:19, Al Beano wrote:

What about [b _onclick_="myevilscript()"]?

Use a proper BBCode library, there's scope for so much to go wrong if you do it yourself. 

On 12 September 2017 04:21:34 BST, "Dmitry S. Nikolaev" <dn AT mega-net.ru> wrote:

If you want to allow to use HTML tags, so do it by replacement to
bbcodes.
<b>to [b]
<div> to [div]
and so on + always use htmlspecialchars function on all user input.

It`s safe to use this way.


With best regards, Dmitry S. Nikolaev

Moscow, Russia
phone: +7 (499) 678 8007 [ext. 6003]
fax: +7 (499) 678 8007 [ext. 7777]
www: http://www.mega-net.ru
mail: dnikolaev AT mega-net.ru
SIP URI: dnikolaev AT sip.mega-net.ru || dn AT sip.mega-net.ru

On 11.09.2017 20:31, Jeff Taylor wrote:

Perhaps, but my mind went to basic HTML tags like <b> and <div>...
sure you can enter styles and screw with the page formatting, but
otherwise there's nothing dangerous there.

Also... was sick, still sick, wasn't thinking clearly.  So as I said,
never assume anything is 'obvious'.


On 09/11/2017 10:58 AM, Al Beano wrote:

If <marquee> tags are available should it not follow that <script>

tags and other JS attributes are also allowed?

On 11 September 2017 17:55:12 BST, Jeff Taylor

<shdwdrgn AT sourpuss.net> wrote:

I appreciate the offer.  It's not really a matter of not being

*able*

to 
fix it, I'm fairly fluent in PHP and its shortcomings in many of

its 

functions that don't quite live up to their names, it's more a

matter

of 
having the problem pointed out to me.  If someone had just said

"hey we

can enter <script> tags in the fields", it would have immediately 
clicked that yes, this is a very very bad thing, and I would have
locked 
it down right away.


On 09/11/2017 02:04 AM, Dmitry S. Nikolaev wrote:

Hi Jeff.

First of all get well and be healthy.

I did not quite understand who did and what did, but I understood

that 

someone hack something.
I dont see any discussion about it.

If it is PHP code, so maybe I can help you. Write if you need

help.

We 

will see what we can do.

Good luck !
With best regards, Dmitry S. Nikolaev

Moscow, Russia
phone: +7 (499) 678 8007 [ext. 6003]
fax: +7 (499) 678 8007 [ext. 7777]
www:http://www.mega-net.ru
mail:dnikolaev AT mega-net.ru
SIP URI:dnikolaev AT sip.mega-net.ru  ||dn AT sip.mega-net.ru
On 11.09.2017 07:52, Jeff Taylor wrote:

Last night I got an ear infection plus bad acid reflux and didn't

hardly sleep at all.  So you can imagine my state of mind when I

got

up this morning to find a discussion between T1 and T2 operators 
talking vaguely about an exploit they found in the servers page,

and

the page itself broken and not providing usable info.  It took me

quite awhile to dig through everything and determine exactly what

was 

done and start working towards repairing the intentional damage.

OK, it's a fair point that I didn't properly sanitize the input. 

However we're talking about a page that has been online for the

past

two years without any problems, but for some reason you decided

that

immediate action must be taken right this very second.  And not a

single one of you assholes had the courtesy to even send me a PM

to 

say "hey we found this problem in your page and these are the

actions 

we took."  Seriously, I know some of you newcomers are in your

teens, 

but do you really have to ACT like it?  This is a community

project,

it exists because people in the past have worked *together* to

solve

problems. It's not a hacking contest to see who can blow up each 
other's contributions.

There have been a lot of complaints about my code in the past.

Yes I

write in Bash and PHP, and yes my code isn't going to be the

easiest

to read.  There's also the constant complaints that I don't post

my 

code on repo-of-the-week, which I've discussed several times on

IRC 

but nobody seems to care.  Just how many 'official'

source-hosting 

pages has opennic been through?  We've been in sourceforge, but

we 

don't trust them now.  What was the one that did SVN?  And of

course

there's the numerous local repos that people have run over the

years

which up and disappear one day without warning.  I've submitted a

fair chunk of my code at least twice.  And poof, there's no

evidence

remaining that it ever existed.

I have limited time to work on opennic, but I've churned out an 
incredible amount of code for the project over the years.  There

is 

very little of opennic's infrastructure that I haven't had a hand

in

or written completely from scratch.  Everybody that comes through

always has their own ideas on how things should be done, what

changes 

need to be made, and yet almost none of those people have

actually 

contributed anything.  Opennic owes its very existence to those

few 

people such as myself who have dedicated months or years of 
programming time to provide the services that everyone else uses

on

a 

daily basis.  There is a huge amount of code in the background

that

I 

personally own and have to troubleshoot when things go wrong.  I 
spend what time I can either fixing the larger problems or trying

to

set up new code to provide features.  I have dedicated time

nearly 

daily to making sure things run smoothly or fixing whatever is 
broken, and the thanks I get is "hey lets fuck up his shit and

see 

how long it takes him to figure it out."  Real mature.

If anyone wants a copy of my working code, I have always been

happy 

to provide it.  It may take me some time to get it together, but

I've 

always given it.  And I would love to have others help clean

things 

up, especially the registrar code behind reg.for.free. 

Unfortunately 

the only feedback I have ever gotten is "I don't like your

standard 

use of single- and double-quotes... here's a rewrite to quote

things

MY way."  I don't have time to keep learning a new repo system

every

year or two and I no longer have the patience to care, but if

someone 

else wants to do the deed I've already mentioned many times that

I

am 

happy to help work with them.

I've been thinking about this all day and I'm still pissed, and 
apparently still can't even coherently express my frustration, so

let 

me summarize... Grow the fuck up and learn how to actually work

with

other people who are in different times zones.  People have

pointed 

out bugs in my code before, and I almost always get them fixed

within 

a day or two.  Yeah I make mistakes, I know this and I know

enough

to 

understand the problem when they are pointed out, assuming you 
actually give me the chance.


--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by

emailingdiscuss-unsubscribe AT lists.opennicproject.org

--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing

discuss-unsubscribe AT lists.opennicproject.org

------------------------------------------------------------------------

--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing
discuss-unsubscribe AT lists.opennicproject.org

--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing

discuss-unsubscribe AT lists.opennicproject.org

--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing

discuss-unsubscribe AT lists.opennicproject.org



------------------------------------------------------------------------



--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing
discuss-unsubscribe AT lists.opennicproject.org

--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org