Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

HTML Formatter Security Bug (October 30 2005)

MarkMark Vanilla Staff
edited October 2005 in Vanilla 1.0 Help
Everyone should be aware that SirNot and I discovered some bugs in the HTML formatter whereby someone could execute javascript in specific browsers. SirNot has fixed the bugs in the release version of the html formatter that comes with Vanilla. You can either download that version of Vanilla from, or you can do the following to repair the bug:

Open up extensions/HtmlFormatter.php

Replace the Execute function with this:
function Execute($String)
	$AllowedProtocols = array('http', 'ftp', 'https', 'irc', 'gopher');
	$Patterns = array(
		"/o(?i)(n)/", //block all js events, but keep it as exact as possible in case 
		"/O(?i)(n)/", //we're mistaking it for a url or something
			//on some browsers the js protocol will still work even if it
			//contains html entities or a newline seperating 'java' and 'script'
		"/s(?i)(cript)/", //now we can go through and cancel out any script tags
	$Replacements = array(
		'$this->CheckProtocol("\\3", $AllowedProtocols, "href="."\\2", "<a"."\\1", "\\4".">")', 
	return preg_replace($Patterns, $Replacements, $String);
Then you'd want to add in this function in the same class as well:
function CheckProtocol($Check, $Allow, $Extra, $Prefix, $Suffix)
	$sReturn = stripslashes($Prefix);
	if(!in_array($Check, $Allow)) $sReturn .= ($Extra.'http://');

	else $sReturn .= ($Extra.$Check.':');
	$sReturn .= stripslashes($Suffix);
	return $sReturn;


  • edited October 2005
    There are also weaknesses as discovered by SirNot in this thread: - fix in thread.
This discussion has been closed.