HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Please upgrade here. These earlier versions are no longer being updated and have security issues.

How to allow javascript code in signatures?

This discussion is related to the Signatures addon.
ThomasHoiThomasHoi New
edited July 2014 in Vanilla 2.0 - 2.8

Hi,

I'm using Vanilla version 2.0.18.8 with signatures version 1.1.5

I have restricted access of signatures to only Admin.

May I know how I can allow javascript code in signature? Currently only html code is allowed.

Thanks.

Comments

  • hgtonighthgtonight ∞ · New Moderator

    The general consensus is to never allow user submitted code to be executed. Even restricting the ability to certain users is considered a harmful security policy. It increases your attack surface with very little gain.

    Signatures 1.1.5 strips out the javascript on line 273. I will leave it up to you how to stop that from happening.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

    peregrine
  • x00x00 MVP
    edited July 2014

    @ThomasHoi as discussed before you need to rethink the problem and solution.

    • You want some kind of submission form, there absolutely no need to facilitate this by manually entering scripting or even form fields
    • The piece meal nature of this strategy is not a good solution, for what you want and not to mention very inefficient and insecure.
    • Vanilla is very extend-able, a plugin in which you are able to assign options rather than allowing arbitrary code to be inserted is a far better solution.

    grep is your friend.

    peregrine
Sign In or Register to comment.