Recognized Member Cap

**The Man** · 07-31-2003, 11:22 PM

I'd also recommend banning document.cookie and window.change, both of which are JavaScript operators... apparently there's a way to get people's passwords with document.cookie, although I'm not sure if vB2.3.0 is vulnerable to that anymore (but there was a big problem with it on Kraptastica awhile back... I think it's still in their Drama Archive), and window.change is how Jacques and his buddies managed to execute that window-opening script in the first plcae, or so I'm informed.

That's really hardly an exhaustive list of terms that can be used maliciously, but it'd be a good start.

I've banned both of them, anyway :P

**Citizen Bleys** · 08-01-2003, 01:44 AM

Pain in the arse. Forget it.

**Endless** · 08-01-2003, 01:55 AM

Why scripting (as they used it during the spam-attack) isn't an issue. I suppose that one is courtesy of clout too, I didn't spot it until now.
Tried to type:
<script language=javascript>
alert("test");
<script>
which shows up as:

language=javascript>
alert("test");

>

**Nakor TheBlue Rider** · 08-01-2003, 10:04 AM

Yah and How About Those Recognized Members.....

No one wants to change anything cuz its work.......thats understandable......

But then shouldn't we just say that and get on talking about Video Games or somthing?????......

**The Man** · 08-01-2003, 06:13 PM

They can get around "javascript:" with an :bou::bou::bou::bou::bou::bou::bou:over or something though

plus typing &#whateverthenumbercodeforJis;avascript also allows them to get around it

**edczxcvbnm** · 08-01-2003, 06:37 PM

Originally posted by Master Vivi
7 or +5

Now using style, that's another matter.

That's how you can type micro text that no one can read without copypasting it, or maxi text that uses a screen per character.

Thats what it was...+5. Also I just hit the quote button to read that insanely small text. So SMAAAAALLLLL!

**Endless** · 08-01-2003, 10:48 PM

Originally posted by The Man
They can get around "javascript:" with an :bou::bou::bou::bou::bou::bou::bou:over or something though

plus typing &#whateverthenumbercodeforJis;avascript also allows them to get around it

No, I think & chars won't allow typing script *tries*
<script>

Nope, it won't use it as a tag.
And using the onwhatever events only allows you to have one line, and it still requires to trigger the event, it's way harder to autotrigger it, if even possible.

**crono_logical** · 08-02-2003, 11:21 AM

It's possible though, the number of people that noticed my changing colour text at FFI when you roll over/click my posts, hence that had to trigger it themselves

And there's the ; that removes the one line limit anyway. Basically, there's a lot to do if you want to patch up all holes at the same time as keeping HTML enabled

***Del Murder*** · 08-03-2003, 06:53 PM

Let's get back on topic please.

**eternalshiva** · 08-04-2003, 02:40 PM

ha ha! That's funny.

Capping sounds good I guess, maybe you should pass around a "questionnaire" that asks the old RMs if they still want the title or not and the resposibilities attached to it and go from there...

Would you have the "Hall of Fame RM" thing under your name? maybe you should make it a link so everyone could see the HoF ;p

heh *imagines it*that would be neat ;p

**eestlinc** · 08-06-2003, 02:24 AM

i still don't see the point in RM's anyway, besides making some more equal than others.

Thread: Recognized Member Cap

Thread Tools

Display

Posting Permissions