hello...

first, all my excuse for my English more than bad, it is besides for that I never post on the forums of xoops.org... .. .

I will try to make short... .. .

We have look on frxoops.org a "problem of security" in newbb... the html/javascript code is execute when one preview the message before posting... .. .

I do not know myself there enough in the field to be really sure for it but that is rather awkward to see dangerous... .. .

what think you... .. .

@ tchaOo°

First off, please don't post security flaws publicly. Contact the developers, giving them a chance to fix it

However, this is something that should be fixed, but the consequences are limited as you have written the message yourself and any malicious code, you would already know about... forward it to the devs, though.

Hi,

From your message I conclude that only the author of a post can execute the javascript code then when previewing the article. If that would be the case then there should not be a problem because he cannot hack the server with it (ordinarily), nor can another user have any damage from it.

I am not a javascript expert but since it is a client tool, theoretically it only influences the PC that opens the preview message.

However, since javascript would not be allowed in the posted messages, perhaps it would be best to also not allow it in preview posts.

Best wishes,

Martijn

to Mithrandir

Sorry... the problem did not appear so serious which that I did not pose myself the question... it is clear that for a large fault I would have contacted one of the author directly... but there it is more than one question that of an assertion... .. .

to wtravel

it is what I also think but I like to ask nevertheless... .. .

@ tchaOo°