Omnimaga
Omnimaga => Site Feedback and Questions => Topic started by: Jim Bauwens on July 29, 2013, 06:45:06 am
-
As I demostrated here, http://ourl.ca/19304, you can easily manipulate the URL that gets loaded inside the vimeo player (just an iframe). Although you're still limited to the player.vimeo.com domain (you can load any site on that domain) I think here should be some added protections. The same issue with Nico video player, you can load any JS script from the ext.nicovideo.jp domain. While this still is very restricted, it's important to remember that if Vimeo or Nico change something on their website, those stuff might be used to exploit stuff here.
-
Are those tags at all used? Because IMO they could be removed if not.....
-
Wow I totally forgot that those tags existed. I believe I added them via custom BBCode, as well as the wikipedia ones. Since they are hardly ever used I guess they could be removed. However, it might be worth it to check if the Wikipedia/etc tags have the same problem as well, because if that's the case, then it's the entire custom BBCode mod that is at fault and it should be reported to its author on SMF.
-
/me just thought of an evil, EVIL idea, that he'll never do.
Imagine if someone realized that, and trolled the entire forum by putting that in their signature. (Under a spoiler, to make it difficult to see where the Rick Roll is coming from.
-
*cough* We already thought of that. :P But yea. NO ONE DO THAT.
-
so THAT is why spoilers aren't allowed anymore in sigs XD
Also, I laready thought of that
-
Believe it or not, it's already been done, except invisible :P (a certain retired admin who had a knack for embedding stuff)
Anyway, hope there's a fix for this :/ at least it can't just load code from anywhere.
-
Believe it or not, it's already been done, except invisible :P (a certain retired admin who had a knack for embedding stuff)
Anyway, hope there's a fix for this :/ at least it can't just load code from anywhere.
Two admins actually :P
Also it used HTML bbcode, not an exploit (admins can put HTML inside posts)
-
Can they still do that? O.O i thought it was disabled by now
-
I doubt it was disabled, since no admin ever abused it dangerously. The farthest it ever went was the embedded rickrolls by me and ztrumpet, that one redirect by me (fake intro topic) and other than that it has actually been pretty useful. For example, in the tutorials section, older tutorials were made so that if the author edits his forum topic, it automatically updates the tutorial too, or other things such as that one tutorial Eeems made once with pretty colors.
Plus, even if HTML ever got disabled, admins could just add it via the database anyway :P
-
Yeah, I think I was the one who added the vimeo and Niconico tags, you had to do something like http://player.vimeo.com/video/<videoid> where <videoid> is whatever inside the tag. I doubt there will be any security issue by adding the extra options (as Vimeo or whatever will make sure there isn't any security issue in their own player), and you won't be able to hide the player by setting the width/height to 0. Plus I bet it would be kinda a PITA to write something that removes those options.
So I would say to leave this as it is now as nothing harmful would happen other than scaring someone with an autoplay (thing at least 2-3 (former) admins already did).
-
Actually I might have added them. I know I added the [Netham45] bbcode, along with Wikipedia, TI-BD and stuff, but I'm unsure anymore about the rest. I might have enabled one video site, though.
EDIT Here's the article: http://ourl.ca/11543 (a month before I quit my admin position entirely). I added Nico, but you added Vimeo it seems.
-
Can they still do that? O.O i thought it was disabled by now
Admins can. I don't think there's a problem with that, seeing as how the same people could just delete most of Omnimaga if they wanted >.>
I think if a lot of these BBCodes aren't getting used, we don't really have a reason to keep them around. They can make post submission slower and clutter the post editor with extra buttons.
-
[...] and clutter the post editor with extra buttons.
There is already a bunch of bb-code tags which don't appear as buttons in the editor....
-
[...] and clutter the post editor with extra buttons.
There is already a bunch of bb-code tags which don't appear as buttons in the editor....
Which? [theGame]YOu lost it?[/theGame]
-
[...] and clutter the post editor with extra buttons.
There is already a bunch of bb-code tags which don't appear as buttons in the editor....
Which? [theGame]YOu lost it?[/theGame]
[netham45]
-
Can they still do that? O.O i thought it was disabled by now
Admins can. I don't think there's a problem with that, seeing as how the same people could just delete most of Omnimaga if they wanted >.>
I think if a lot of these BBCodes aren't getting used, we don't really have a reason to keep them around. They can make post submission slower and clutter the post editor with extra buttons.
This is true. There are probably some that we could get rid of.
-
I think that some official tags don't necessarily have buttons either, but since barely anyone ever used the Vimeo and Niconico tags, I bet they could be removed if they ever cause issues. Most people use Youtube anyway.
I wonder how secure is the [Netham45] tag, since it doesn't need to be closed? :P
-
[Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45][Netham45]I don't see nothing broken
-
The XKCD one in particular doesn't seem to have much of a point since all it does is create a link to an XKCD comic, and it's not much harder (actually slightly less work IMHO) to just use [url=http://xkcd/][/url].