I know that it's convenient to embed videos from youtube and other sites in an iframe. It's also a security risk since Manifest never finished the
promised work to protect the forum against iframe-enabled credential theft. I have a made a change to force iframed content into a sandbox, which
breaks the youtube embedded player. You will have to visit the external youtube site now to play videos.
I incidentally discovered along the way why the superscript bbcode tag -- sup -- was not working. Itshould work now, along with the
already-working subscript.aga - 5-3-2016 at 13:51
Great work.
iframes were invented by the devil himself, and deserve to be obliterated.Rosco Bodine - 6-3-2016 at 08:06
Who is John Galt? Maybe Jimmy Hoffa redacted.blogfast25 - 6-3-2016 at 09:42
Very nice, indeedy.Rosco Bodine - 6-3-2016 at 11:15
Predictable "progress" ElizabethGreene - 8-3-2016 at 14:50
One workaround for this might be to create the [youtube] tag in phpBB. There are more details here.
As I understand it, this blocks the users' ability to create an arbitrary iframe, and still enables them to embed videos.Rosco Bodine - 8-3-2016 at 23:13
The old embed code like this for example may still function, it works but seems like 6 of one and a half dozen of the other Not really seeing any security alerts so it may be a case of if it aint broke don't
fix it.
Edits done to experiment with effect of script changes and simplify the code........several versions seem to work fine.
One time I set the autoplay parameter "true" on one of these embeds but a big bird named Vulture killed the link so I never posted one again
.......I'm a quick learner that way.
So it's been too long I'll see if the autoplay still works.
Coincidentally it was another Alkaemy work the first time.
iframes were invented by the devil himself, and deserve to be obliterated.
Speak of the devil
Or maybe Archangel Echelon Wing Commander .....
shhhh don't tell anyone .....it's a secret
Big Boss - 11-3-2016 at 13:30
I'm sorry for not doing the work promised, I'm him by the way. I started off with such good intentions and kept putting it off, then forgot about it.
I'm the same way with schoolwork unfortunately, I keep putting it off again and again until deadlines run down.
I suppose one fix would be to force iframes into a sandbox environment, the best probably, there's still a security risk from external links but I
don't plan on pulling anything any time soon.
The best fix would be to go around patching each individual CSRF exploit which would take ages, there's a few in the control panel, one in the U2U
system etc. aga - 11-3-2016 at 14:56
Words are so very easy, which is why there are so many of them, yet so little to be said.Big Boss - 11-3-2016 at 15:00
A statement backed by your post history, aga.aga - 11-3-2016 at 15:11
Correct, although beer tends to get involved in my case.
Failure to deliver on promised code changes, then vague mentions of vulnerabilities in general areas of the board's php is very weak indeed. Weak.
Detail the code sections please and i'll put in the man-hours to eliminate the vulnerabilities.
Post them here rather than U2U so other programmer members can help.aga - 11-3-2016 at 15:14
Just in case you feel like forgetting or redacting the Words.
The best fix would be to go around patching each individual CSRF exploit which would take ages, there's a few in the control panel, one in the U2U
system
If I remember right u2u.php?action=send is vulnerable to CSRF but this isn't too bad, you could make users send U2U's. I tested this out with a couple
members of the skype group.
I would rather we work together on this than take subtle jabs at each other like a few members have been doing the past months, it really does achieve
nothing. Can we agree on that?
[Edited on 12-3-2016 by Big Boss]Polverone - 11-3-2016 at 18:21
(Well, actually there are a couple of small modifications that I've not bothered to merge into that repo since nobody was using it. I should do
that...)
If Big Boss/Manifest is still willing to make improvements in the form of pull requests I'm still happy to review them and merge them if they pass
review. Not every problem needs to be fixed at once. Start with one issue and fix it. This invitation goes for aga too, and anyone else who might want
to contribute.Rosco Bodine - 11-3-2016 at 19:25
A script could be used to invoke the old embed code in the place of "sandbox" to break the "iframe" script .....maybe just overwrite the "iframe"
script with the old embed code derivative. It would be a translator script.
I am NOT a programmer so I'm not sure it makes sense what I am suggesting may be possible.aga - 12-3-2016 at 08:00
Could you post the install directory as well please, or just say if it's the same as the stock 1.9.11 one.
Best start with the exact same schema as you got.
Edit:
It's pretty noisy in this sandbox
[Edited on 12-3-2016 by aga]Rosco Bodine - 12-3-2016 at 10:19
script kiddies are the worst when they are old enough to get a senior discount
Sorry ........
I was tinkering before with scripts and it is too late now to edit the autoplay embedaga - 12-3-2016 at 11:00
The noise isnlt so bad. Reminds me of Clannad or Enya.Polverone - 12-3-2016 at 14:34
The install directory is the same as the stock 1.9.11.aga - 13-3-2016 at 12:30
Not really seeing any security alerts so it may be a case of if it aint broke don't
fix it. 
