Meta-WTF - WTF is the forum markup? WTForum? :)



  • There's no description of the permitted forum markup. Is it just HTML? Probably not all HTML. Is it something like Markdown?

    If you go to the "help", it dumps you into the generic top page for Teligent. WTF?



  • Normally I'd say "you must be new here" and complain that EVERYBODY knows the forum software is the Real WTF, but the 'Help' link abuse is new to me. so, :)



  • <script language="javascript">alert("ohai! i must try scripts now.");</script>

    So I suppose it's at least semi-filtered.



  • <font color="red" size="128"><blink>I can has BLINK TAG?</blink></font>

    <script type="text/javascript"> alert("javascript???"); </script>

    (edit) Hmm, better than I thought... it filters <blink> fro the real post, though it still blinks in the editor!



  • The real WTF is the forum software, etc. etc.

    Alex is just a sociopath, I thought that was the generally accepted reasoning?



  • @realmerlyn said:

    There's no description of the permitted forum markup. Is it just HTML? Probably not *all* HTML.

    Clearly you've missed out on seeing "Signature Guy", an entire fake post used as a signature, created by closing all the tags of the post, opening a new set with fake user info etc, and then allowing the real end of the original post to close this fake one instead.

    Before that I did something similar inside a post. With the right tricks you can break the post page's html parser and make it allow you to close tags which you didn't open, and open tags without ever closing them.



  • @Thief^ said:

    @realmerlyn said:

    There's no description of the permitted forum markup. Is it just HTML? Probably not *all* HTML.

    Clearly you've missed out on seeing "Signature Guy", an entire fake post used as a signature, created by closing all the tags of the post, opening a new set with fake user info etc, and then allowing the real end of the original post to close this fake one instead.

    Before that I did something similar inside a post. With the right tricks you can break the post page's html parser and make it allow you to close tags which you didn't open, and open tags without ever closing them.

     

    And people actually buy this software?  Willingly?



  • @Thief^ said:

    Clearly you've missed out on seeing "Signature Guy", an entire fake post used as a signature, created by closing all the tags of the post, opening a new set with fake user info etc, and then allowing the real end of the original post to close this fake one instead.

    Bear in mind that Community Server isn't the only forum vulnerable to Signature Guy, though it's probably one of the only ones that's still around (I think the other one, where I originally got the idea, was an ancient version of UBB that cached everything as static HTML - the site ended up switching to phpBB because of the massive lag that resulted from replying to any of the numerous 200+ page threads, since it would have to recache every single page in order to update the pagination links).

    Of course, here it only works if you view threads in flat mode - view them in Threaded mode and Signature Guy goes away (or gets horribly mangled).



  • @Quietust said:

    I think the other one, where I originally got the idea, was an ancient version of UBB that cached everything as static HTML

    I was about to say that it couldn't have been, but it turns out that I'm wrong. I could have sworn that nuking HTML in signatures was done, but the code disagrees. Signatures are only put through the normal "strip dangerous HTML" routines that are utterly hilarious looking back eight years after they were written.



  • You can find the list of available WTFcode here: [url]http://thedailywtf.com/Info/BBCode.aspx[/url].



  • @joemck said:

    <font style="text-decoration: blink;" color="red" size="128">I can has BLINK TAG?</font>

    alert("javascript???");

    (edit) Hmm, better than I thought... it filters <blink> fro the real post, though it still blinks in the editor!

     

    FTFY?  (Won't know for sure until I click "Post", of course ...) 



  • @Spectre said:

    You can find the list of available WTFcode here: http://thedailywtf.com/Info/BBCode.aspx.

    Nope. That's for Alex's hokey hand-rolled comment and article engine for the front page.



  • @Kyanar said:

    @Spectre said:
    You can find the list of available WTFcode here: http://thedailywtf.com/Info/BBCode.aspx.

    Nope. That's for Alex's hokey hand-rolled comment and article engine for the front page.

    [b]bolded text[/b]

    [i]italicized text[/i]

    [u]underlined text[/u]

    [url]http://WorseThanFailure.com[/url]

    [url=http://WorseThanFailure.com]WTF[/url]

    [img]http://thedailywtf.com/Resources/images/wtf.gif[/img]

    Hello World

    @Bob said:

    Hello World

    [code]monospaced text[/code] 

    				<code></code><br></p><p><code>[color=red]Red Text[/color]</code></p>


  • @DaveK said:

    @joemck said:

    <font style="text-decoration: blink;" color="red" size="128">I can has BLINK TAG?</font>

    alert("javascript???");

    (edit) Hmm, better than I thought... it filters <blink> fro the real post, though it still blinks in the editor!

     

    FTFY?  (Won't know for sure until I click "Post", of course ...) 

     

    Wow, that brings back the good memories of the internet in the late '90s. Too bad geocities is gone and we can't visit these beasts in their natural habitats.



  • @DaveK said:

    FTFY?  (Won't know for sure until I click "Post", of course ...) 
     

    F for Fucked?



  • Wait, so... this forum allows faking an entire extra post in a signature, but doesn't allow the blink tag?!

    Well, it may be buggy, but at least the developers have their priorities in order.


  • Discourse touched me in a no-no place

    @NSCoder said:

    Wait, so... this forum allows faking an entire extra post in a signature, but doesn't allow the blink tag?!




    Um - it does; did you not see http://forums.thedailywtf.com/forums/p/14077/208644.aspx#208644?



  • @PJH said:

    @NSCoder said:
    Wait, so... this forum allows faking an entire extra post in a signature, but doesn't allow the blink tag?!




    Um - it does; did you not see http://forums.thedailywtf.com/forums/p/14077/208644.aspx#208644?
    I see it, but it doesn't blink. But I'm using Internet Explorer (I know, TRWTF, it's not my choice) so it could just be that.



  • @PJH said:

    @NSCoder said:
    Wait, so... this forum allows faking an entire extra post in a signature, but doesn't allow the blink tag?!

    Um - it does; did you not see http://forums.thedailywtf.com/forums/p/14077/208644.aspx#208644?

    Does not! That's CSS' text-decoration:blink.



  • @derula said:

    CSS' text-decoration:blink.
     

    Creating nonsense can be forgiven.

    Perpetuating it is just stupid.


  • Discourse touched me in a no-no place

    @derula said:

    @PJH said:
    @NSCoder said:
    Wait, so... this forum allows faking an entire extra post in a signature, but doesn't allow the blink tag?!
    Um - it does; did you not see http://forums.thedailywtf.com/forums/p/14077/208644.aspx#208644?
    Does not! That's CSS' text-decoration:blink.


    Ah. I slump corrected.



    It blinked, I presumed a tag-soup correction. I didn't bother digging into what changes were required for it.



  • img tag abuse test...



  • @shogun said:

    img tag abuse test...

     

    It seems to work.



  • @dhromed said:

    @DaveK said:

    FTFY?  (Won't know for sure until I click "Post", of course ...) 
     

    F for Fucked?

    Well, the word "fixed" can easily take on that shade of meaning... I "fixed" it all right.  I "fixed" it good and proper.
     



  • @NSCoder said:

    I see it, but it doesn't blink. But I'm using Internet Explorer
    Man, I thought IE8 was supposed to be fully compliant with CSS2.1. But if there’s no support for text-decoration blink, why even bother :(((



  • @snover said:

    @NSCoder said:

    I see it, but it doesn't blink. But I'm using Internet Explorer
    Man, I thought IE8 was supposed to be fully compliant with CSS2.1. But if there’s no support for text-decoration blink, why even bother :(((

     

    I for one am glad there's at least one annoyance that IE doesn't put us through.


Log in to reply