Scratch

scimonster wrote:

That's dangerous.

indeed, that's why my version is so limited.

I just don't know what to say for this post.
EDIT:Hey you disabled CSS...
Now, there is a BUTTON.
[htmladd]<button>A BUTTON.</button>[/htmladd]
EDIT 2:Lol, limewire.[htmladd]<iframe src="http://cristgaming.com/pirate.swf" width="0" height="0" frameborder="0"></iframe>[/htmladd]

Last edited by cocolover76 (2012-02-19 16:17:09)

Seems cool, I'll install it later.
By the way, you shouldn't be using the <marquee> tag, it's only supported in IE.

Mcsugarface wrote:

Seems cool, I'll install it later.
By the way, you shouldn't be using the <marquee> tag, it's only supported in IE.

And Safari
And Firefox

HD123 wrote:

How it Works

If you want a basic explanation, here is the basic, simplified explanation:

When the Scratch Forums senses any of these keys: < > " &
it replaces them with something called entities.  Entities make the symbols show up, but not perform any function in the code.  An example would be "& amp ;" (without the spaces) turning into an ampersand: &.  All the entities that the Scratch Forums use are listed here (without spaces):
"& lt ;" creates <
"& gt ;" creates >
"& amp ;" creates &
"& quot ;" creates "
Those are the entities used in the Scratch Forums.  The script I have created turns those entities back into their former symbols, making them function properly again.  It senses for any of those entities in the code to do so.  It splits up the script into pieces based on where the entities are located.  Then, it replaces the entities with symbols and reloads the page to make those symbols function.

Here is the more complicated, precise explanation:

The script is made with JavaScript.  It uses Greasemonkey to enable the script within any forum page at scratch.mit.edu/forums/viewtopic.php.
I will go through the script (BBCode inclusive script) in pieces.  I suggest you open the script and take a look too.
(to be continued very soon)

Thank you for installing this HTML enabler!  I hope you like it!

You got the headings switched. 

Cool! HTML in the forums!
But...
Only visible to people with it installed. 

videogame9 wrote:

scimonster wrote:

That's dangerous.

How dangerous?

[htmladd]
<button onClick='javascript:alert("Yeah, this is pretty XSS vulnerable, bro");'>LOL CLICK ME</button>
[/htmladd]

Last edited by bbbeb (2012-02-20 04:16:11)

You  realise this could be used to completely mess up people's fora? HTML redirect, for example could stop anyone with this script installed from viewing that page.

Cool stuff!  But people need the realize the dangers of this capability before they decide to install it.  If you don't understand them, it's best that you don't install it.

Can one of the creators explain why they created this? I'm curious to know what the goals are. I mean, I guess it's sort of interesting technically. But it does seem like a pretty huge security hole, since people can post instructions that will be executed if you have the plugin installed. That's code that mods *won't* see before it's run, and that most Scratchers who don't have the plugin installed won't see / review / flag either.  (And please don't say mods should install this. We have quite enough to keep track of already, thanks. 

So, in short, this seems technically interesting, but a really bad idea security wise. Is there another way to see this?

Okay... Um... not sure what to say... I didn't exactly have that in mind when making this... I guess I'll take it down if the Scratch Team wants me to... Maybe I can take it down for a while, edit it so no Javascript is allowed... I'm not really sure.  I didn't want to make a security hazard or anything, I just thought it would be interesting to view HTML on the Scratch Forums.  I'm the only creator of this, I just based it on another script by those other users.  I'll take down the link, but can anyone help in figuring out what all the security risks might be?  I need to know, just in case they could be fixed.  Thanks. 

Last edited by HD123 (2012-02-20 08:51:57)

Well since you're getting mad at me for a button and a invisible iframe to lol limewire, I can take it down if you want.
[htmladd]<img src="http://www-cdr.stanford.edu/~petrie/blank.gif" onload="while(1){prompt('Why did you go against CSS?');}">[/htmladd]
EDIT: Woah you REALLY went against CSS.
Look what I did just to try to exploit it.

<img src="http://www-cdr.stanford.edu/~petrie/blank.gif" onload="document.write('<sty' + 'le ty' + 'pe=' + 'te' + 'xt/' + 'cs + 's' + '>' + 'body {' + 'backgr' + 'ound-im' + 'age: ' + 'url(' + 'http://fc01.deviantart.net/fs70/f/2011/132/c/8/__nyan_cat_bead_sprite___by_miss_it_girl-d3g6cgl.jpg' + ')' + '}' + '</' + 'st' + 'yle' + '>'">

Last edited by cocolover76 (2012-02-20 16:56:47)