Closed
Bug 1248002
Opened 8 years ago
Closed 8 years ago
FF is executing HTML code in Forum/New Thread and Edit Post Textareas
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: allmmm, Unassigned)
Details
Attachments
(1 file)
177.18 KB,
image/png
|
Details |
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:44.0) Gecko/20100101 Firefox/44.0 Build ID: 20160210153822 Steps to reproduce: (1) Go to https://www.youtube.com/watch?v=JbpgM-JTang Click the Share > Embed links and Copy the iframe embed code for the video. (2) Login to a forum that allows posting executable HTML code in a thread post, as a member, For instance, http://www.pinballnirvana.com/forums/forumdisplay.php?f=105 -the one I use. (3) At the forum, click the "New Thread" button". Enter a Title and Paste the YouTube iframe code in the textarea for your message. This is correct procedure. (4) After Pasting the YouTube iframe code to the message textarea, click the "Preview Post" button. Actual results: When previewing or editing a post at a forum that allows posting executable HTML code in posts, YouTube Player embeds. div tags with CSS inline styles, etc., FF is not showing the text of the code in the textarea editing window. FF instead displays the finished rendered element, the YouTube Player. etc. If the element or src needs correction, you can only delete the element and start over from scratch. Expected results: When previewing or editing a forum post that contains executable HTML code, FF should display the text of the code in the textarea editing window and Not Render the finished element in the place of the text. This does not occur in Google Chrome. Please excuse the odd color scheme in the image file. I am suffering an eye infection atm.
Reporter | ||
Comment 1•8 years ago
|
||
FF may also be executing or removing/blocking HTML code that is posted within CODE or HTML CODE tags at forums. I have seen "missing code" posted within CODE or HTML CODE tags that may be due to the same bug as above.
Comment 2•8 years ago
|
||
This is a problem with the vbulletin software that forum is running. It uses a "contenteditable" rich text editor field, where embeddable content like iframes just works - it isn't a textarea. I don't know why it doesn't support such an edit field in Chrome - it's possible that the vbulletin code in question is simply too old to know about Chrome. However, you can switch to the "less fancy" plaintext <textarea> field from your user control panel, ie http://www.pinballnirvana.com/forums/profile.php?do=editoptions , using the option all the way at the bottom that's labeled "Message Editor Interface", which will help you not to run into this again. Either way, this isn't a security issue in Firefox, and vBulletin 3.8.9 has been unsupported for some years, so I'm closing this as invalid and opening this up.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
Comment 3•8 years ago
|
||
(In reply to :Gijs Kruitbosch from comment #2) > vBulletin 3.8.9 has been unsupported for some years I specifically mean: http://www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/4091944-vbulletin-3-8-9 . It seems vbulletin themselves no longer support 3.8. It's possible that the issues you're seeing might be fixed on newer versions of the forum software.
You need to log in
before you can comment on or make changes to this bug.
Description
•