Heisenberg submitted a new resource:
You must be registered for see links
- Remove ability for mods to use HTML in announcementsvB Version: 4.2.x
Currently if someone is able to hack into one your of moderator accounts they could use it to launch a XSS attack since they could select the option to use HTML in announcements.
To fix this open modcp/announcement.php
Change
Code:print_yes_no_row($vbphrase['allow_html'], 'announcementoptions[allowhtml]', ($announcement['announcementoptions'] & $vbulletin->bf_misc_announcementoptions['allowhtml'] ? 1 : 0));
to...
You must be registered for see links
Last edited: