My sig doesn't work here in the forums but in my profile it works fine?

Any ideas?

Your sig here looks the same to me as it does in your profile

it's just an issue of cbb ;-)

I already have made a fix for this but it's not applied here yet!

Oh I changed it back because google pick up the bad link as soon as I posted it.

I guess I should have said it this way... simple html or bbcode is not working in the sig area here in the forum but does work in my profile.

I noticed that after the upgrade, BBCode and signatures started breaking for me. Perhaps there is a relation?

because in icms core, we filter signature on user input instead of output.

this means that if you use bbcode in your signature, it will be converted to html by module.textsanitizer & purifier before it is submitted to the DB.

CBB doesn't respect this and also tries to filter the output and is not allowing html through, which is why stranger made the patch for it.

this is 1 of the biggest problems we are encountering with security on the core. it is more preferable to filter input, and then do less filtering on output, it makes page rendering faster if we filter and clean user input instead of output. but in many cases with xoops & in the core, they filter output more than input, and sometimes it's wasted resources even more because not only do they filter the input, but sometimes they filter both the input & output exactly the same which is wasteful.

That explains a whole hell of a lot! Thanks Vaughan! Hey, I can live with a plain text signature. 'tis no biggie, but I can see where this will be an irritation for others.

yw James, yes in future, i would rather have the core fully handle user input & filtering, rather than the modules using their own methods, that way we can be consistent throughout. but that's certainly some time off at moment.

I must remind you again, I can not let pass this in the future because this will cause problems.

If you have an old system in the database that you converted from XOOPS impresscms and is looking for only the entry, this might undermine its website. Not with the new entries, this is already healthy. But the output is a problem for old content. See for example the news module. Somehow he allowed malicious code via JS and now is not checked the exit, some problems will occur in comments. This is just a real example noticed that today.

If we fail to see the exit, OK, fine, but it would be interesting to let the webmaster choose whether to activate or not the scan output.

relax Giba, we do filter the output in userinfo.php



it's just when modules such as cbb did not allow HTML signatures, that the problem occurs, because the method they use (htmlspecialchars) needs to be changed to use displayTarea() instead.

but i really do want to change this concept and fully filter user input more than output.