vB4 Remove ability for mods to use HTML in announcements

  • Downloading from our site will require you to have a paid membership. Upgrade to a Premium Membership today!

    Dont forget read our Rules! Also anyone caught Sharing this content will be banned. By using this site you are agreeing to our rules so read them. Saying I did not know is simply not an excuse! You have been warned.

Radio

    ven0m

    ven0m

    Administrator
    Staff member
    Administrator
    Moderator
    Platinum
    xenForo 2.x.x
    xenForo 1.x.x
    Contributor
    vBulletin All Access Pass
    The Chest
    Verified
    Ultra Platinum VIP
    Platinum VIP
    Gold VIP
    Silver VIP
    Premium
    Member
    Jul 17, 2005
    20,471
    7,711
    321
    localhost
    Heisenberg submitted a new resource:

    You must be registered for see links
    - Remove ability for mods to use HTML in announcements

    vB Version: 4.2.x

    Currently if someone is able to hack into one your of moderator accounts they could use it to launch a XSS attack since they could select the option to use HTML in announcements.

    To fix this open modcp/announcement.php

    Change

    Code: 
    print_yes_no_row($vbphrase['allow_html'], 'announcementoptions[allowhtml]', ($announcement['announcementoptions'] & $vbulletin->bf_misc_announcementoptions['allowhtml'] ? 1 : 0));

    to...
    Click to expand...

    You must be registered for see links
     
    Last edited:
    You must log in or register to reply here.
    Thread starter Similar threads Forum Replies Date
    ven0m vB4 vt.Lai VBB Unique Link 1.1 - Remove ?p=xxx parameter in Url [4.2.x] Addons 0
    ven0m vB4 Checks all Products for lastest version (Check All Mods With One Click) [4.2.x] Addons 0
    Similar threads
    Top Bottom