Forum Settings
Oct 3, 2013 11:12 AM

Nov 2004
Before I mention anything, I want to apologize to everyone for the extended crippling of our bbcode.

If you're not aware, [ img ], [ color ], [ url ], and [ yt ] tags have been disabled for some time. Today we're re-enabling [ color] and [ url ] tags.

There are still issues we're trying to solve for [ img ], and if you're knowledgeable in the web space, please let us know any ideas you have on how to prevent [ img ] tags from loading malicious content from other sites. Our current best idea is a blacklist or whitelist of domains.

We apologize for the inconvenience and hope to have this issue resolved in the near future. Any help we can get will surely enable us to get a fix out faster.
Pages (29) [1] 2 3 » ... Last »
Oct 3, 2013 11:15 AM

Jun 2012
thank god we have color back
Oct 3, 2013 11:16 AM

Mar 2012
I'm itching to change my sig.
Kickstarter for Rokujouma is fully funded. Good work everyone. Lets wait for the result of our hard work together.
Oct 3, 2013 11:36 AM

Jul 2011
Thank you!

"A half moon, it has a dark half and a bright half, just like me…", Yuno Gasai
Oct 3, 2013 11:47 AM

Aug 2012
Its a step to having everything back to normal, keep up the good work.

Oct 3, 2013 11:48 AM
Oct 3, 2013 11:49 AM

Jul 2013
It'd okay man, take your time.
Oct 3, 2013 11:50 AM
Soldier 1stClass

Mar 2008
Thanks for the update Xinil!
Oct 3, 2013 12:29 PM

Jun 2012
Thanks for the update, and that's great.
NeoAnkara said:
I'm itching to change my sig.

Though I agree with this.
Oct 3, 2013 12:34 PM

Dec 2012
This is a good news for MAL
Oct 3, 2013 12:34 PM

Apr 2013
This is great. Nice work.
an egomaniac and a fool

Oct 3, 2013 12:43 PM

Apr 2012
Thanks, and good luck!
Oct 3, 2013 12:46 PM

Feb 2012
Thank you!
Oct 3, 2013 1:15 PM

May 2012
Ahh, I miss color BBCode so much x3
Glad the url code is back too.

Oct 3, 2013 1:22 PM

Dec 2012
What the point of having color BBcode if you gonna have a bunch of people complain about it being used?

Schools out, No job at moment, STILL hello MAL Eh..I will try to be online
Oct 3, 2013 1:36 PM

Sep 2010
img bbcode is really vulnerable to xss type attacks, its because of hackers we can't have nice things.
Oct 3, 2013 1:38 PM

Dec 2009
About dang time Xinil, I think half the site was about ready to hang you for taking so long to give us an update. At least we know you care, unlike others who care more for popularity. Thank you for trying your hardest to bring them back up, Xinil.

Now, in regards to the way your other mods pick new mods, I believe TallonKarrde23 has some much needed ideas to discuss with you.

Oct 3, 2013 1:45 PM
Jul 2018
Oct 3, 2013 1:45 PM

Jun 2009
Thank you, Xinil! Much appreciated. It’s good to have features back.
I think, then procrastinate.
Therefore, I am.
Oct 3, 2013 2:51 PM

Nov 2012
Oct 3, 2013 3:01 PM

Dec 2012
NeoAnkara said:
I'm itching to change my sig.

In the mean time you can experiment with colors!
Oct 3, 2013 3:04 PM

Jan 2013
You won't get past blacklisting URL it is the most effective precaution. Also filtering words like 'gore', 'xxx', etc. in the links is very effective. Making the images non-clickable can help.

Then there is also the possibility of loading the image over the server proxy, preventing the attacker to directly attack the users.

The use of an image filter would be a waste because there are more than enough character images that would proc the filter.
Oct 3, 2013 3:31 PM

Jun 2013
Looking forward to [img].
Oct 3, 2013 3:42 PM

Mar 2010
Ty. for color/url!
Oct 3, 2013 3:47 PM

Jun 2007
There's like a billion articles on how to prevent injection for home made bbcode. Here's one
Oct 3, 2013 3:49 PM

Jan 2013
MAL is colorful once again!
Oct 3, 2013 3:50 PM

Oct 2012
As for the img, how about adding a 'Spam' button when hovering an image, and once someone(any member on the forum) presses it, the image is replaced with a spoiler button but with the name 'Show Spam', and a list of blocked images is updated that the mods can go through. But everyone can still see the blocked image by pressing the 'Show Spam' button, until a moderator takes a look at the image and if it's okay it's unblocked and if it's not okay the mod removes it permanently.

The 'Spam' button would of course open a dialog box where the user has to confirm the block and also maybe enter a captcha, and of course the username is saved, in case the user is trying to block images just to be an ass.
BaqaOct 3, 2013 4:05 PM
Oct 3, 2013 4:29 PM

Jan 2013
I say you should make a whitelist with the most used web image hosters, like flickr, imageshack, photobucket, signavatar. And slowly expand it to some other websites by having request from users. And where we have the signature settings to have the supported websites listed so people can see why their picture might not work and what they could use.
Oct 3, 2013 5:21 PM

May 2011
Thanks a lot
Oct 3, 2013 5:51 PM

May 2012
Many thanks. I'm looking forward to get [img] again for my signature I made 2 weeks ago.
Oct 3, 2013 5:56 PM

Dec 2012
Do not worry about it. As long as it is for a better MAL. And thank you for the update.
I like anime.
Oct 3, 2013 6:23 PM

Nov 2010
thank you for the updates! :D
Oct 3, 2013 6:25 PM

Aug 2012
Oct 3, 2013 6:26 PM

Oct 2013


Oct 3, 2013 6:50 PM

Apr 2009
My Profile picture isn't working. Is it supposed to be or no?
Oct 3, 2013 7:01 PM

Nov 2004
DeathfireD said:
There's like a billion articles on how to prevent injection for home made bbcode. Here's one
This isn't an XSS issue. It's a 'basic access authentication' injection. We've largely resolved any XSS attacks.
Oct 3, 2013 7:45 PM

Feb 2013
Xinil said:
It's a 'basic access authentication' injection.
It's a browser issue. Unfortunately they all seem to handle this in the worst possible way. (I have since replicated the issue with wamp on my machine for fun)

I think the only thing you can do is have the server request the resources that people try to post for images. If there isn't an image on the other end... well, you decide what the consequences are. (easymode would be just stripping it from the post... or autoban, but that might be too much). Obviously that would put a load on the server. Even this can be bypassed, by detecting the MAL server IP and serving an image to it so the post gets made... unless you proxy...

There is no way to deal with this 100% without the browsers doing something about it. There will always be people that don't know any better.
BurntJellyOct 3, 2013 7:52 PM
Oct 3, 2013 8:20 PM

Oct 2012

I have to admit, I am upset that [ img ] is not working and/or available at the moment, but at least we finally got some sort of update. To be honest, although I am happy to see this update on MAL, I question why we could not be informed of this sooner. I guess it doesn't matter that much now, but just saying....
Oct 3, 2013 8:22 PM

Dec 2012
Damn... The only two that I didn't care about gets enabled

@topic question

I am 100% sure you could google it

Oct 3, 2013 8:34 PM

Apr 2009
Profile pic is now working again :)
Oct 3, 2013 8:45 PM

Jul 2013
Thank you for your efforts! Can't wait to finally make a sig that isn't just a jumble of Url and Img words!
Oct 3, 2013 8:49 PM

Jun 2007
BurntJelly said:
Xinil said:
It's a 'basic access authentication' injection.
It's a browser issue. Unfortunately they all seem to handle this in the worst possible way. (I have since replicated the issue with wamp on my machine for fun)

I think the only thing you can do is have the server request the resources that people try to post for images. If there isn't an image on the other end... well, you decide what the consequences are. (easymode would be just stripping it from the post... or autoban, but that might be too much). Obviously that would put a load on the server. Even this can be bypassed, by detecting the MAL server IP and serving an image to it so the post gets made... unless you proxy...

There is no way to deal with this 100% without the browsers doing something about it. There will always be people that don't know any better.

Ah I was under the impression that it was XSS, my bad. I'm not familiar with authentication injection but couldn't you just check the image's exif info using exif_imagetype in PHP? If it's an authentication injection than php wont be able to return any exif info since it'll be redirected by the "hackers" sever to a script. Xinil could do something like this when converting to BBcode to html. If the image fails then strip the bbcode out.

$bbcodeImage = '';

if (exif_imagetype($bbcodeImage) != IMAGETYPE_PNG){
if (exif_imagetype($bbcodeImage) != IMAGETYPE_JPEG){
if (exif_imagetype($bbcodeImage) != IMAGETYPE_GIF) {
echo 'This is not an image';
echo 'this is a gif';
}else {
echo 'this is a jpeg';
echo 'this is a png';
Oct 3, 2013 9:14 PM

Jul 2008
Xinil said:

There are still issues we're trying to solve for [ img ], and if you're knowledgeable in the web space, please let us know any ideas you have on how to prevent [ img ] tags from loading malicious content from other sites. Our current best idea is a blacklist or whitelist of domains.

From an usability point of view, a whitelist is never a good idea since it restrict the user too much. A blacklist is a good second measure idea but it will also not be able to fully protect the users since it is easy for anyone to create a get a new domain. This also means that you will have to rely on people's report submission to find the problematic images and ban their domain which in every case will create some incident.

As for a primary solution have you tried the following?
-Verify if every image URL have tags inside of them before actually accepting the image, if they do you only have to refuse the post.
-Verify if the link to the image exist before actually showing it. This will stop people form abusing the onerror injection. Now I'm sure there's a way to test if the link contains only an image or not but I'm still not experienced enough to help on that end.

You also might want to check this
Oct 3, 2013 9:28 PM

Jul 2013
Oct 3, 2013 9:36 PM

Mar 2010
Yey! Hoping for [img] code next time.
Oct 3, 2013 9:57 PM

Aug 2011
Thank you! Good luck with the [img] issues...

Please take your time to make MAL a safer place ^^
Oct 3, 2013 11:18 PM
Mar 2012
Oct 3, 2013 11:26 PM

Dec 2012
Oct 4, 2013 12:11 AM

Jun 2010
Why not [img] m8?

Oct 4, 2013 12:50 AM
Oct 2013

I'm the author of a text-formatting library that handles BBCodes and other kinds of markup. You can find it on GitHub: s9e\TextFormatter. I've found this thread via a Google Alert that I have on BBCode-related keywords. I use Google Alerts to keep abreast of issues other people have with BBCodes, which brought me here.

@Xinil: what do you mean exactly by "loading malicious content from other sites"?

Some people mentionned XSS. There are two ways to exploit XSS: via a javascript: link and by breaking out of the attribute value. For the first one, I recommend having a whitelist of allowed schemes. In simple terms, test that every links starts with "http://" or "https://". For the second one, as long as the value is output between quotes (and since this page is XHTML, quotes are not optional anyway) and that you use htmlspecialchars() (possibly with ENT_QUOTES if you use single-quotes for HTML attributes) you should be safe. Although, come to think of it I realize that you might be simply using preg_replace() to replace BBCodes with HTML. That's typically the problem with most BBCode engines. In that case, you can use preg_replace_callback() to specifically target img BBCodes (and url BBCodes too) so that you can actually validate and sanitize the URL.

Now if your concern is that malicious users could use img BBCodes to load arbitrary resources in a user's cache, then there's no way but using a whitelist of trusted hosts, such as Blacklists can be sidestepped with any URL redirector and checking the resource to see if it's an image only works if the server serves the resource indiscriminately. For instance, a server could send an image to Firefox users and something completely different to Internet Explorer users. Or it can be an image at the time of the posting and something different five minutes later.

Now with that said, I don't see a need for checking images. To the best of my knowledge the img element cannot be abused that. You can load the most virulent virus of the universe in an img element, it won't do anything. If it could, spammers would infect the whole planet via reddit's /r/pics.
Pages (29) [1] 2 3 » ... Last »

More topics from this board

» MAL Game "Fantasy Anime League" Opens for Spring 2025 ( 1 2 3 )

Kineta - Mar 13

124 by zehwpai »»
9 hours ago

» You Should Read This Manga 2025: Nominate! ( 1 2 )

Kineta - Feb 2

62 by FushikoMaruko »»
Mar 22, 11:15 PM

» MAL×entine ♥ 3rd Edition ( 1 2 3 4 )

Kineta - Feb 3

192 by doctor-funk-beat »»
Mar 21, 7:30 AM

» Genres/Themes System Change Log

Kineta - Oct 2, 2024

45 by kta_99 »»
Mar 20, 7:54 PM

» Paradox Live Profile Badge Event ( 1 2 3 )

tingy - Aug 29, 2023

102 by UserAni1345 »»
Mar 20, 2:02 AM
It’s time to ditch the text file.
Keep track of your anime easily by creating your own list.
Sign Up Login