No announcement yet.


  • Filter
  • Time
  • Show
Clear All
new posts

  • Html

    Allowing html, can that cause any issues?
    Last edited by Carrfixr; Wed 1 Jul '20, 3:59pm.

  • #2
    If you get someone who knows what they are doing they can take over your site entirely using HTML.


    • Carrfixr
      Carrfixr commented
      Editing a comment
      Thanks, it stays off. But bb code is safe?

    • In Omnibus
      In Omnibus commented
      Editing a comment
      The BBCode vBulletin uses is safe. You can even disable the ability to embed PHP or HMTL as BBCode. As long as you're not parsing raw data you're safe from the vast majority of malicious code.

    • Wayne Luke
      Wayne Luke commented
      Editing a comment
      You can even disable the ability to embed PHP or HMTL as BBCode.
      The HTML and PHP bbcodes do not allow users to embed this type of code in a post. The code will never be parsed. They are simply an extension of the [code] bbcode to apply to preformatted text.

      HTML Code:
      <p>This is the <b>HTML</b> BBcode</p>
      PHP Code:
      // This is the PHP BBCode
      echo ('<p>Hello World</p>'); 

  • #3
    Yes. Allowing HTML can cause a lot of problems. Ranging from benign mistakes to outright exploitation.

    An inexperienced user break your site because they forget to close a tag.
    An experienced user can include JavaScript to harvest user information when people visit the page.

    This should only be turned on for your must trusted users and I would recommend only using it yourself to gain better control over the posting of articles and blogs more than anything else. You should not allow the general public access to HTML.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API - Full / Mobile
    Vote for your favorite feature requests and the bugs you want to see fixed.


    • Carrfixr
      Carrfixr commented
      Editing a comment
      Thanks guys
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.