Hi it seems like if i type JavaScript: then a space between Java and script is inserted. Check this test post
Its annoying sometime as you can see here
Is it possible to fix it without modifying the "Underlying Forum Code"?
Thanks.
Printable View
Hi it seems like if i type javascript: then a space between Java...
hi it seems like if i type JavaScript: then a space....
hi it seems like if i type "javascript" then....
Brad, looks like you fixed it, thanks.
But if I edit my post, the problem re-appears, can you fixed that if possible.
Thanks again.
Danial.
I didn't do anything. The only time I could duplicate the error was when I copied your post.
I suggest you don't copy your post ;)
Brad!
Brad, apart from the first post in my test thread, i didnt copy. Wired thing is that now the edit the post its fine too :confused: . Are you sure you didnt change anything?Quote:
Originally posted by brad jones
I didn't do anything. The only time I could duplicate the error was when I copied your post.
I suggest you don't copy your post ;)
Brad!
Electroman, did you copy my post or type it in my test theread? Because your recreated the error I am talking about.
Or you didnt change anything did you?
Anyhow the problem is resolved, but its was some wired AutoFix :D
Definitely weird. I wasn't sure where to being looking, which is why I started by trying to duplicate the issue.....
If it happens again and we can duplicate it, then I'll see what we can do. :)
Brad!
I spoke too early, it only happens inside [code ] tag. e.gQuote:
Originally posted by brad jones
Definitely weird. I wasn't sure where to being looking, which is why I started by trying to duplicate the issue.....
If it happens again and we can duplicate it, then I'll see what we can do. :)
Brad!
That should replicate the error.Code:onclick="javascript:Test()"
Brad, finally found the cause.
It happens inside [code], [vbcode], and [quote] tag.
When i edit the post, it shows the text without any space, so that means Format function of vbBulletin is causing the bug.
To be more precise it only happens when those tags are used in a post, but even then it affects outside the tags if they were present.
Like Look at these two posts:
http://www.vbforums.com/showthread.p...postid=1782456
http://www.vbforums.com/showthread.p...postid=1782457
The second one is the same as the first except the line with the Code tags has been taken out ;).
Good work EM :thumb: , nearly freaked me out trying to re-create the error.
Hope brad can fix it :)
Solved the problem, well I found the reason I reckon......
I just tried it with the bold tags so its actually if any tags are present and the reason is that you could inject Javascript when tags with parameters are present. For example:
[color=Red]SomeText[/color]
converts to:
<font color="Red">SomeText</font> (Or similar)
So then what if you do:
[color=Red" onclick="javascript:DoSomething()]SomeText[/color]
That would convert to:
<font color="Red" onclick="javascript:DoSomething()">SomeText</font> (Or similar)
EMan,
I see your point, you are trying to say this can be used to call JavaScript function and would be open to abuse, right?
In that case all is needed is to put a tag like we do, between java and script
e.g Replace JavaScript to Java[b] [/b ]Script
Note that the "<script>" tag "<" and ">" is getting replaced by html char code so you would not be able to call any script any way. You can only do inline JavaScript.
I would assume we only need to modify the Replace function, e.g
Replace(strHtml, "JavaScript:", "Java Script:")
to
Replace(strHtml, "JavaScript:", "Java[b ][/b ]Script"
Obviously the equivelent of Replace function in PHP.
Brad any ways to fix it or is it too much code change?
I would think its rather a lot to change. You could just work around it by doing:
javas[b][/b]cript:
Code:javas[b][/b]cript:
Which is actually how I managed to get it to display right in my last post. Ofcourse if this is the way to go then not everyone will know how to do it but at least then you'll know something not everyone else does :D.
Thing is this could have been fixed in the next version but I'm not sure there. the method you suggested could have some strange results, especially if you used that replace statement when the input was the injection I gave as an example ;).
I'll report this to our developers and see if they have the time to look into it.
Brad
Thanks Brad,Quote:
Originally posted by brad jones
I'll report this to our developers and see if they have the time to look into it.
Brad
Its not a major issue, but would be nice if it can be fixed.