# A Security Issue regarding HTML



## omokage (Feb 6, 2002)

I know that HTML is off now, but I thought that if people ever thought to complain they should read this correspondance:



[snip] - emailing to Morrus. Good idea KDL


----------



## KDLadage (Feb 6, 2002)

This is something that should have been e-mailed to Morrus directly -- placing it here just invites people to experiment with it -- if not on these boards, then on others.


----------



## graydoom (Feb 6, 2002)

Hmm, yes, I have thought to complain. Why? Because despite the fact that we did not have problems with HTML enabled on the old boards, and despite the fact the fact that javascript is censored out, HTML still isn't re-enabled.

Well, since whatever is was is gone now, I can't point out any flaws in it and/or browser-side fixes for it....
I dislike being deprived of the chance to make a rebuttal. With javascript commands censored, there shouldn't be any problems with re-enabling HTML. But since I have no idea what the issue here is... I can't make any good response.


----------



## Omegium (Feb 6, 2002)

before html is turned on: het out the <iframe> tag. You can use html with that.


----------



## omokage (Feb 7, 2002)

first of all: javascript can be used in tags other than the script tag.

second of all: the security concern I was specifically refering to was that in the current version of vBulletin, a user account can be hacked into when HTML is enabled on the board.


----------



## Berandor (Feb 7, 2002)

This is it? I know I am a no-tech but the problem is that user-accounts can be hacked?

I mean, I could lose my avatar, sig, or might have my username changed, or the hacker would find out my *gasp* e-mail address?

We have no real address, credit-card number,s or else in our profile.

I know there must be more to it, isn't it?
Or maybe I'm underestimating the degree of privacy warranted by EN-Users...

Berandor


----------

