One thread - formatting messed up

[tingo]

Haven't seen this before, one specific thread has "side-by-side" formatting of posts. Screenshot:
(it looks the same in Chromium too).

 

[SirDice]

Somebody posted a [url] in an [anchor]. That screws up the layout. Should be fixed now.

 

[zirias@]

That's the second time this happens in a short period of time. Can you assure this at least doesn't allow any injections?

 

[SirDice]

I was thinking about removing the button for [anchor]. A lot of new users seem to "abuse" it instead of using [file]filename[/file].

 

[shkhln]

Still not fixed? Yes, this is technically an XSS.

 

[SirDice]

Still not fixed?

Refresh/reload the page.

 

[ShelLuser]

It's not only about anchors though, I recently managed to mess up [cmd] and [/file] and that also caused quite a mess. Managed to fix that myself though.

.. come to think of it, I'm not fully sure what code caused it again, but it was something I messed up: using an unmatched pair (I always type out the BBCode).

 

[zirias@]

Yes, this is technically an XSS.

Can't be sure about this, might be "deterministic tag soup" But it's worrying…

 

[zirias@]

Refresh/reload the page.

shkhln asked about the underlying issue, that might have security implications.

(it definitely is that kind of "oops, what's that?" event that's often the first step to discover a serious security issue…)

 

[a6h]

More items, harder to find the problem. Users love their widgets, and admin has to pay for it! I think some of the items are not necessary. Some users may whine. Whatever.

 

[zirias@]

So, did OpenBSD release a web BBS software so far? ?

 

[SirDice]

Yeah, need to tweak that toolbar a bit. Move more important things to the front (code and file for example) and less used (fonts, anchor) further back. But my browser doesn't seem to like it though. I can pick up the icons and drag them around but it never lets go of the selection.

 

[zirias@]

Yeah, need to tweak that toolbar a bit.

Don't want to nag here, but still: that won't do. If there is a way for user input to mess up layout, XSS might be already possible or isn't far. In that case, it doesn't matter whether it's accessible via a toolbar, whoever wants to exploit it doesn't care for toolbars. Please get to the bottom of this problem…

 

[shkhln]

This forum version seem to indiscriminately escape <, > and " everywhere (in user input, that is), so XenForo devs likely papered over most issues.

 

[zirias@]

*scnr*

 

[memreflect]

BB code is about as safe as any other tag-based markup language. Some things like man pages appear especially odd if you miss the '/' character on the closing tag for example:

[man=1]sh[man]

The contents of this code block were copied and pasted below this code block.
The attached image is the resulting preview of that section.

Maybe MAN and PORT tags aren't a problem from a security perspective, but the image does illustrate what happens when you don't check the output of your BB code. We're all human (I think?), so similar mistakes will assuredly be made in the future.

 

[shkhln]

BB code is about as safe as any other tag-based markup language.

The traditional way of implementing bbcodes is mere text substitution, so they don't really qualify as a markup language. There is no data structure that can be checked for invalid combinations of nested tags, there are no parsing rules whatsoever. For example, [URL=[ANCHOR]1[/ANCHOR]]2[/URL] is a perfectly "valid" piece of bbcode and it generates a garbage result: 1[/ANCHOR]]2.

 

[memreflect]

The traditional way of implementing bbcodes is mere text substitution, so they don't really qualify as a markup language. There is no data structure that can be validated for invalid combinations of nested tags, there are no parsing rules whatsoever. For example, [URL=[ANCHOR]1[/ANCHOR]]2[/URL] is a perfectly "valid" piece of bbcode and it generates a garbage result: 1[/ANCHOR]]2.

The syntax is just very reminiscent of HTML to me, so thank you for the correction. It seems it's more like the old HELPMAKE/QuickHelp markup format used in the days of DOS, albeit in a different form:

QuickHelp    \b+Bold \u+Underline \b-Bold \u-Underline
BB code      [B]+Bold [U]+Underline [/B]-Bold [/U]-Underline
(improper nesting)
BB code      [B]+Bold [U]+Underline [/U][/B][U]-Bold [/U]-Underline
(proper nesting)
Rendering    +Bold +Underline -Bold -Underline

The BB code will be reformatted to make the tags nest properly when toggling the BB code on/off, which does make it seem like there's a direct translation from BB code to HTML. In any case, it's clear to me now: the algorithm used to convert from BB code to HTML is far simpler than any algorithm used to parse broken HTML. That could be considered a good thing since the recipe for tag soup is nothing but trouble.