View Single Post
Old 12-03-2008, 05:39 AM   #6
Senior Member
Isildur's Avatar
Join Date: Nov 2004
Posts: 1,340

Originally Posted by Reaper man View Post

ack, well that's a pretty interesting exploit you found, but not exactly useful. Sadly, I can't think of anything that would counteract that though. ;/
Yeah, it's apparently not dangerous, so long as there aren't any SWFs hosted on the domain that do something like redirect to another site. (Fortunately, in html-off mode, vBulletin already converts quotation marks to """. Otherwise, some nasty js exploits might perhaps be possible by inserting a closing quotation mark and then an event handler.) I guess it should be possible to program the PHP to do a PCRE search for the string


and replace it with somthing like =\"\"

but it's probably not necessary-- YouTube doesn't host any problematic SWFs as far as I can tell -- so you probably needn't worry about it, since the harmless stuff that I did is about all that a forum user could do, as far as I can tell.
Isildur is offline   Reply With Quote