View Single Post
Old 12-03-2008, 06:39 AM   #6
Isildur
Senior Member
 
Isildur's Avatar
 
Join Date: Nov 2004
Posts: 1,339
Default

Quote:
Originally Posted by Reaper man View Post
.....D:

ack, well that's a pretty interesting exploit you found, but not exactly useful. Sadly, I can't think of anything that would counteract that though. ;/
Yeah, it's apparently not dangerous, so long as there aren't any SWFs hosted on the youtube.com domain that do something like redirect to another site. (Fortunately, in html-off mode, vBulletin already converts quotation marks to """. Otherwise, some nasty js exploits might perhaps be possible by inserting a closing quotation mark and then an event handler.) I guess it should be possible to program the PHP to do a PCRE search for the string

=\"http:\/\/www\.youtube\.com\/v\/*/\.*.\"

and replace it with somthing like =\"\"

but it's probably not necessary-- YouTube doesn't host any problematic SWFs as far as I can tell -- so you probably needn't worry about it, since the harmless stuff that I did is about all that a forum user could do, as far as I can tell.
Isildur is offline   Reply With Quote