• Downloading from our site will require you to have a paid membership. Upgrade to a Premium Membership from 10$ a month today!

    Dont forget read our Rules! Also anyone caught Sharing this content will be banned. By using this site you are agreeing to our rules so read them. Saying I did not know is simply not an excuse! You have been warned.

Remove ability for mods to use HTML in announcements

Admin

Well-Known Member
Staff member
Administrator
Currently is someone is able to hack into one your of moderator accounts they could use it to launch a XSS assack since they could select the option to use HTML in announcements.

To fix this open modcp/announcement.php

Change

PHP:
print_yes_no_row($vbphrase['allow_html'], 'announcementoptions[allowhtml]', ($announcement['announcementoptions'] & $vbulletin->bf_misc_announcementoptions['allowhtml'] ? 1 : 0));

to

PHP:
//print_yes_no_row($vbphrase['allow_html'], 'announcementoptions[allowhtml]', ($announcement['announcementoptions'] & $vbulletin->bf_misc_announcementoptions['allowhtml'] ? 1 : 0));

All you are doing is commenting it out. You will need to do this each time you upload a new version of vbulletin.
 

Facebook Comments

Similar threads

New posts New threads New resources

Back
Top