bugzilla.mozilla.org will be intermittently unavailable on Saturday, March 24th, from 16:00 until 20:00 UTC.

FF is executing HTML code in Forum/New Thread and Edit Post Textareas




2 years ago
2 years ago


(Reporter: Arnold McMunn, Unassigned)


44 Branch

Firefox Tracking Flags

(Not tracked)



(1 attachment)



2 years ago
Created attachment 8718936 [details]
PNSW.PNG of Player replacing text in post editor

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:44.0) Gecko/20100101 Firefox/44.0
Build ID: 20160210153822

Steps to reproduce:

(1) Go to https://www.youtube.com/watch?v=JbpgM-JTang
Click the Share > Embed links and Copy the iframe embed code for the video.

(2) Login to a forum that allows posting executable HTML code in a thread post, as a member, For instance, http://www.pinballnirvana.com/forums/forumdisplay.php?f=105   -the one I use.

(3) At the forum, click the "New Thread" button". Enter a Title and Paste the YouTube iframe code in the textarea for your message. This is correct procedure.

(4) After Pasting the YouTube iframe code to the message textarea, click the "Preview Post" button.

Actual results:

When previewing or editing a post at a forum that allows posting executable HTML code in posts, YouTube Player embeds. div tags with CSS inline styles, etc., FF is not showing the text of the code in the textarea editing window. FF instead displays the finished rendered element, the YouTube Player. etc. If the element or src needs correction, you can only delete the element and start over from scratch.

Expected results:

When previewing or editing a forum post that contains executable HTML code, FF should display the text of the code in the textarea editing window and Not Render the finished element in the place of the text. This does not occur in Google Chrome.
Please excuse the odd color scheme in the image file. I am suffering an eye infection atm.

Comment 1

2 years ago
FF may also be executing or removing/blocking HTML code that is posted within CODE or HTML CODE tags at forums. I have seen "missing code" posted within CODE or HTML CODE tags that may be due to the same bug as above.
This is a problem with the vbulletin software that forum is running. It uses a "contenteditable" rich text editor field, where embeddable content like iframes just works - it isn't a textarea.

I don't know why it doesn't support such an edit field in Chrome - it's possible that the vbulletin code in question is simply too old to know about Chrome. However, you can switch to the "less fancy" plaintext <textarea> field from your user control panel, ie http://www.pinballnirvana.com/forums/profile.php?do=editoptions , using the option all the way at the bottom that's labeled "Message Editor Interface", which will help you not to run into this again.

Either way, this isn't a security issue in Firefox, and vBulletin 3.8.9 has been unsupported for some years, so I'm closing this as invalid and opening this up.
Group: firefox-core-security
Last Resolved: 2 years ago
Resolution: --- → INVALID
(In reply to :Gijs Kruitbosch from comment #2)
> vBulletin 3.8.9 has been unsupported for some years

I specifically mean: http://www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/4091944-vbulletin-3-8-9 . It seems vbulletin themselves no longer support 3.8. It's possible that the issues you're seeing might be fixed on newer versions of the forum software.
You need to log in before you can comment on or make changes to this bug.