| Before I mention anything, I want to apologize to everyone for the extended crippling of our bbcode. If you're not aware, [ img ], [ color ], [ url ], and [ yt ] tags have been disabled for some time. Today we're re-enabling [ color] and [ url ] tags. There are still issues we're trying to solve for [ img ], and if you're knowledgeable in the web space, please let us know any ideas you have on how to prevent [ img ] tags from loading malicious content from other sites. Our current best idea is a blacklist or whitelist of domains. We apologize for the inconvenience and hope to have this issue resolved in the near future. Any help we can get will surely enable us to get a fix out faster. |
| thank god we have color back |
| I'm itching to change my sig. |
 Kickstarter for Rokujouma is fully funded. Good work everyone. Lets wait for the result of our hard work together. |
| Thank you! |
"A half moon, it has a dark half and a bright half, just like me…", Yuno Gasai |
| Its a step to having everything back to normal, keep up the good work. |
 |
| It'd okay man, take your time. |
| Thanks for the update Xinil! |
  |
| Thanks for the update, and that's great. NeoAnkara said: I'm itching to change my sig. Though I agree with this. |
  |
| This is a good news for MAL |
 |
| This is great. Nice work. |
an egomaniac and a fool |
| Thanks, and good luck! |
 |
| Thank you! |
| Ahh, I miss color BBCode so much x3 Glad the url code is back too. |
 |
| What the point of having color BBcode if you gonna have a bunch of people complain about it being used? irony |
| Schools out, No job at moment, STILL hello MAL Eh..I will try to be online |
| img bbcode is really vulnerable to xss type attacks, its because of hackers we can't have nice things. |
 |
| About dang time Xinil, I think half the site was about ready to hang you for taking so long to give us an update. At least we know you care, unlike others who care more for popularity. Thank you for trying your hardest to bring them back up, Xinil. Now, in regards to the way your other mods pick new mods, I believe TallonKarrde23 has some much needed ideas to discuss with you. |
    |
| COLOR!! |
 |
NeoAnkara said: I'm itching to change my sig. In the mean time you can experiment with colors! |
| You won't get past blacklisting URL it is the most effective precaution. Also filtering words like 'gore', 'xxx', etc. in the links is very effective. Making the images non-clickable can help. Then there is also the possibility of loading the image over the server proxy, preventing the attacker to directly attack the users. The use of an image filter would be a waste because there are more than enough character images that would proc the filter. |
| KYA! Looking forward to [img]. |
 |
| Ty. for color/url! |
| There's like a billion articles on how to prevent injection for home made bbcode. Here's one http://www.webhostingtalk.com/showthread.php?t=682647 |
^)^ DeathfireD ^)^ Anime Alliance P2P Network *OPEN FOR NEW MEMBERS* |
| MAL is colorful once again! |
| As for the img, how about adding a 'Spam' button when hovering an image, and once someone(any member on the forum) presses it, the image is replaced with a spoiler button but with the name 'Show Spam', and a list of blocked images is updated that the mods can go through. But everyone can still see the blocked image by pressing the 'Show Spam' button, until a moderator takes a look at the image and if it's okay it's unblocked and if it's not okay the mod removes it permanently. The 'Spam' button would of course open a dialog box where the user has to confirm the block and also maybe enter a captcha, and of course the username is saved, in case the user is trying to block images just to be an ass. |
BaqaOct 3, 2013 4:05 PM
| FAVORITE ANIME | Aishiteruze Baby | Barakamon | Darker than Black | Gekkan Shoujo Nozaki-kun | Nodame Cantabile | Spice and Wolf |
| I say you should make a whitelist with the most used web image hosters, like flickr, imageshack, photobucket, signavatar. And slowly expand it to some other websites by having request from users. And where we have the signature settings to have the supported websites listed so people can see why their picture might not work and what they could use. |
 |
| Thanks a lot |
 |
| Many thanks. I'm looking forward to get [img] again for my signature I made 2 weeks ago. |
| Do not worry about it. As long as it is for a better MAL. And thank you for the update. |
| I like anime. |
| thank you for the updates! :D |
 |
| FINALLY. |
| SUPERB!!!!!! |
"Hello." |
| My Profile picture isn't working. Is it supposed to be or no? |
 |
DeathfireD said: This isn't an XSS issue. It's a 'basic access authentication' injection. We've largely resolved any XSS attacks.There's like a billion articles on how to prevent injection for home made bbcode. Here's one http://www.webhostingtalk.com/showthread.php?t=682647 |
Xinil said: It's a browser issue. Unfortunately they all seem to handle this in the worst possible way. (I have since replicated the issue with wamp on my machine for fun)It's a 'basic access authentication' injection. I think the only thing you can do is have the server request the resources that people try to post for images. If there isn't an image on the other end... well, you decide what the consequences are. (easymode would be just stripping it from the post... or autoban, but that might be too much). Obviously that would put a load on the server. Even this can be bypassed, by detecting the MAL server IP and serving an image to it so the post gets made... unless you proxy... There is no way to deal with this 100% without the browsers doing something about it. There will always be people that don't know any better. |
BurntJellyOct 3, 2013 7:52 PM
  |
| IT'S ABOUT TIME!!!! I have to admit, I am upset that [ img ] is not working and/or available at the moment, but at least we finally got some sort of update. To be honest, although I am happy to see this update on MAL, I question why we could not be informed of this sooner. I guess it doesn't matter that much now, but just saying.... |
 |
| Profile pic is now working again :) |
|
| Thank you for your efforts! Can't wait to finally make a sig that isn't just a jumble of Url and Img words! |
 |
BurntJelly said: Xinil said: It's a browser issue. Unfortunately they all seem to handle this in the worst possible way. (I have since replicated the issue with wamp on my machine for fun)It's a 'basic access authentication' injection. I think the only thing you can do is have the server request the resources that people try to post for images. If there isn't an image on the other end... well, you decide what the consequences are. (easymode would be just stripping it from the post... or autoban, but that might be too much). Obviously that would put a load on the server. Even this can be bypassed, by detecting the MAL server IP and serving an image to it so the post gets made... unless you proxy... There is no way to deal with this 100% without the browsers doing something about it. There will always be people that don't know any better. Ah I was under the impression that it was XSS, my bad. I'm not familiar with authentication injection but couldn't you just check the image's exif info using exif_imagetype in PHP? If it's an authentication injection than php wont be able to return any exif info since it'll be redirected by the "hackers" sever to a script. Xinil could do something like this when converting to BBcode to html. If the image fails then strip the bbcode out. <?php $bbcodeImage = 'https://www.google.com/images/srpr/logo6w.png'; if (exif_imagetype($bbcodeImage) != IMAGETYPE_PNG){ if (exif_imagetype($bbcodeImage) != IMAGETYPE_JPEG){ if (exif_imagetype($bbcodeImage) != IMAGETYPE_GIF) { echo 'This is not an image'; }else{ echo 'this is a gif'; } }else { echo 'this is a jpeg'; } }else{ echo 'this is a png'; } ?> |
| ^)^ DeathfireD ^)^ Anime Alliance P2P Network *OPEN FOR NEW MEMBERS* |
Xinil said: There are still issues we're trying to solve for [ img ], and if you're knowledgeable in the web space, please let us know any ideas you have on how to prevent [ img ] tags from loading malicious content from other sites. Our current best idea is a blacklist or whitelist of domains. From an usability point of view, a whitelist is never a good idea since it restrict the user too much. A blacklist is a good second measure idea but it will also not be able to fully protect the users since it is easy for anyone to create a get a new domain. This also means that you will have to rely on people's report submission to find the problematic images and ban their domain which in every case will create some incident. As for a primary solution have you tried the following? -Verify if every image URL have tags inside of them before actually accepting the image, if they do you only have to refuse the post. -Verify if the link to the image exist before actually showing it. This will stop people form abusing the onerror injection. Now I'm sure there's a way to test if the link contains only an image or not but I'm still not experienced enough to help on that end. You also might want to check this [url]http://www.webhostingtalk.com/showthread.php?t=682647[/url] |
 |
| COLORS!!! |
 |
| Yey! Hoping for [img] code next time. |
 |
| Thank you! Good luck with the [img] issues... Please take your time to make MAL a safer place ^^ |
Why not [img] m8? |
More topics from this board
» [Challenge] You Should Read This Manga 2025 ( 1 2 )Kineta - Mar 30 |
89 |
by X_Anya_
»»
5 hours ago |
|
» Happy New Year & 2023 Wrap-Up!Kineta - Jan 5, 2024 |
32 |
by IridescentJaune
»»
8 hours ago |
|
» MAL Game "Fantasy Anime League" Opens for Spring 2025 ( 1 2 3 4 )Kineta - Mar 13 |
182 |
by gprime70
»»
Apr 6, 12:14 PM |
|
» [Update Apr 2] MaiBot: Your Anime Connoisseur ( 1 2 3 4 )Kineta - Mar 31 |
183 |
by Hayukoo
»»
Apr 6, 9:37 AM |
|
» [Update Jun 8] Club Mass Messaging Is Returning! (and other updates) ( 1 2 3 )Kineta - Jun 1, 2016 |
123 |
by Wyatt
»»
Apr 4, 9:39 AM |