Unauthorised interference with my posts Options

[pandy]

If you don't tell I will pout.

You are cute when you pout.

Entities don't work. I seriously have no idea how Pandy pulled that off. People have been trying to do that with IPB forever.

You have got to tell us how you pulled that one off!

No. I want to see you pout too first.

[Christian J]

Entities don't work. I seriously have no idea how Pandy pulled that off. People have been trying to do that with IPB forever.

A simple googling turned up the following:

javascript:

If you look in the BBCode you can see how I did it, but pandy seems to use some other trick that makes the BBCode appear normal.

BTW feel free to edit this post if you don't want everyone to know.

[pandy]

Can you put it in a script box?

CODE

javascript:alert('Klutz!');

[John Pozadzides]

You have got to tell us how you pulled that one off!

No. I want to see you pout too first.

Ok. I'm pouting... see? Now, tell us how you did it!

A simple googling turned up the following:

javascript:

Hmm... You say "simple" but I don't know how you found that. I know a lot of people, including me, that looked for it in the past but couldn't find it.

But like you said, that isn't how Pandy is doing it.

java script:alert('Boo!');

Dammit!

John

[pandy]

I knew you would give up if I waited long enough. That mug's so cute I just have to tell you.

Ready? Here goes!

CODE

javascript: alert('Boo!');

CODE

javascript: alert('Boo!');

You can do it with any or all characters in 'javascript:'.

It isn't my fault you guys listen to hearsay and don't test for yourselves!

[Christian J]

A simple googling turned up the following:

javascript:

Hmm... You say "simple" but I don't know how you found that. I know a lot of people, including me, that looked for it in the past but couldn't find it.

IIRC I searched for ways to circumvent the bad word censor...

BTW here's a mod for phpBB, maybe IPB has something similar though the mod appears to work only on empty BBCode tags (and not when you put content inside them like I did).

[Christian J]

It isn't my fault you guys listen to hearsay and don't test for yourselves!

I did test &!

Is this the same thing: http://secunia.com/advisories/20772 ?

[pandy]

I did test &!

Kids nowadays... Give up when it doesn't work on the first try. Tsss, tsss, tsss.

Is this the same thing: http://secunia.com/advisories/20772 ?

Dont know. They say hex and I used decimal. Hex doesn't seem to work.

CODE

javascript: alert('Buu!');

[John Pozadzides]

I did test &!

Kids nowadays... Give up when it doesn't work on the first try. Tsss, tsss, tsss.

I swear I tested that also, multiple times!

Is this the same thing: http://secunia.com/advisories/20772 ?

Dont know. They say hex and I used decimal. Hex doesn't seem to work.

CODE

java script: alert('Buu!');

I've already patched for that issue...

John

[John Pozadzides]

CODE

javascript: alert('Boo!');

CODE

java script: alert('Boo!');

Interesting. I just also learned that if you use the & trick, the first time you preview the post it switches it to the regular character. Then if you post it goes back to being broken.

Basically this only works if you do NOT preview your post before taking it live.

John

[pandy]

Yes, lots of boards do that. Messes quoting up, that.

Actually, it was pure luck I found this out. I use a script in my text editor to convert characters to entities. When I wrote it I chose dec since that's supposed to be most widely supported. So when I wanted to try "javascript:" with entities, decimal it was. Had my script happened to do hex, maybe I too had given up there.

Wonder if it is a vulnerability BTW. If it is it shall be known as "The WDG Hole".

[Christian J]

Doesn't seem to work in links, but not sure why not (since the "javascript" part is still intact):

[url=javascript: alert('Boo!');]foo[/url]

[pandy]

It's because of the space. But the board adds 'http' if it isn't present.

TESTING

[rahul286]

Yes, lots of boards do that. Messes quoting up, that.

Actually, it was pure luck I found this out. I use a script in my text editor to convert characters to entities. When I wrote it I chose dec since that's supposed to be most widely supported. So when I wanted to try "java script:" with entities, decimal it was. Had my script happened to do hex, maybe I too had given up there.

Wonder if it is a vulnerability BTW. If it is it shall be known as "The WDG Hole".

Hello pandy, first thanx for :
Can u tel me in details how do u use a script in text editor! Does it work for all members???
Actually I am running an invision board and there is completely dedicated thread for javascript&#58
So I would really appreciate ur help!
Thanks in advance!

[pandy]

No, you can't do it with any text editor. The one I use, Notetab, is programmable using its own scripting language. I like the way the sripts are evoked. Look at this picture http://notetab.com/screen01.html . What you see in the left window is a library with scripts. Each item in the list is a script. In this case it's just text macros that inserts CSS stuff in the document, but they can be a lot more advanced than that, process text, documents, disk files. You can have as many libraries as you want with many scripts in each.

[rahul286]

So is there any other solution??
something like BBCode or MODS...
wel I have access to PHP source code of IPB, so I can modify any file!
And thanks for replying so soon!

[pandy]

I don't understand what you want to do. Can't you just use #58 if that works?