Does anyone actually allow HTML in posts?

Considering that it's not secure and is turned off by default (well, in vBulletin anyway), does anyone actually allow HTML in posts on their forum? For what reason?

 

This is an interesting topic - I'd be interested in hearing what people have to say regarding this matter.

 

I allow HTML in topics, for sure.

I have no reason, I just allow it. Some people prefer the HTML rather than the IMG code.

 

Has it caused any problems for you yet, Tom? No one has tried to post malicious stuff?

 

No, not that I know of.

Not many people upload HTML images. They'd use IMG codes or links.

 

No, I do not allow html. It presents too much of a security issue.

 

Only allowed in my Staff forums.

 

I do not allow html in users post. I only allow myself to be able to post html in my posts.

 

I don't permit HTML on any of my forums for anybody - including administrators. It's just too great of a security risk and it simply isn't worth it.

Tom, I'm surprised that you haven't had any issues with it thus far. Are you aware of the security risks it presents?

 

No, I am not aware.

Please tell me why I should be aware. - but don't tell me too much too fast because we are a designer's forum, so HTML must/can/may be used.

 

Users can easily post malicious code that may compromise your forum or database, if I'm not mistaken.

I don't know the specifics - just that it opens a huge window for abuse and corruption. Hopefully somebody can come along and fill us in on the details.

I've visited many design forums, none of which have HTML enabled. Is there a reason you feel the necessity to enable it? I'm just curious...

 

My Drupal community will allow it : )

 

Thanks for the advisory.

Well, some designers code in HTML, so maybe when posting a code, they'd like to use HTML, or whatever.

No specific reason.

 

Well even when HTML is disable you can post HTML code to share with the community. It just won't be parsed.

For example:

HTML:

<table width="890px" border="0" cellpadding="0" cellspacing="0"
style="margin-top:1px;background-color:#606060;border-bottom:1px solid black">
<tr style="height:48px">
<td width="15px"></td>
<td width="500px" valign="middle" style="text-align:left">
<img style="margin-top:6px" border="0" src="/images/h_logo.gif" width="203" height="20" alt="w3schools" title="w3schools" />
</td>
<td align="right" valign="bottom" style="color:white;font-size:10px;font-weight:bold">
<form style="margin:0px;padding:0px;" method="get" name="searchform" action="http://www.google.com/search" target="_blank">
<table cellpadding="0" cellspacing="0" border="0" style="padding-bottom:10px"><tr>
<td>Search W3Schools : <input type="hidden" name="sitesearch" value="www.w3schools.com" /></td>
<td><input style="margin:0px;height:12px;width:128px;" alt="search" type="text" name="as_q" size="20" value="" /></td>
<td><input style="margin:0px" type="image" align="middle" src="images/search.gif" /></td>
</tr></table>
</form>
</td>
<td>&nbsp</td>
</tr>
</table>

<table width="890px" border="0" cellpadding="0" cellspacing="0" style="background-color:#606060">
<tr style="height:20px">
<td class="blacknav" style="border-left:none" width="50"><a class="m_item" href="/default.asp">HOME</a></td>
<td class="blacknav" width="50"><a class="m_item" href="/html/default.asp">HTML</a></td>
<td class="blacknav" width="40"><a class="m_item" href="/css/default.asp">CSS</a></td>
<td class="blacknav" width="40"><a class="m_item" href="/xml/default.asp">XML</a></td>
<td class="blacknav" width="90"><a class="m_item" href="/js/default.asp">JAVASCRIPT</a></td>
<td class="blacknav" width="40"><a class="m_item" href="/asp/default.asp">ASP</a></td>
<td class="blacknav" width="40"><a class="m_item" href="/php/default.asp">PHP</a></td>
<td class="blacknav" width="40"><a class="m_item" href="/sql/default.asp">SQL</a></td>
<td class="blacknav" width="60"><a class="m_item" href="/sitemap/sitemap_tutorials.asp">MORE...</a></td>
<td class="blacknav"></td>
<td class="blacknav" width="80"><a class="m_item" href="/sitemap/sitemap_references.asp">References</a></td>
<td class="blacknav" width="70"><a class="m_item" href="/sitemap/sitemap_examples.asp">Examples</a></td>
<td class="blacknav" width="50"><a class="m_item" href="/forum/default.asp">Forum</a></td>
<td class="blacknav" style="border-right:none" width="50"><a class="m_item" href="/about/default.asp">About</a></td>
</tr>

</table>

 

Code:

<img src="somerandomimage" onload="dosomethingnasty ();" />

Is the basic gist of it - triggering the various javascript event handlers. css can also be used for malicious purposes, but then again, so can the bbcode img tag.

 

This is true.

I agree with you. Both HTML and IMG codes can be risky.

Most people use IMG codes, any way, as previously mentioned.

 

I do not allow HTML on any of the forums.