HTML Tags! What's the chance?

and a live cam feed please!

Don't feed the trolls!!!

I don't think that would be a good idea. From a cursory glance at it, the vBulletin HTML sanitisation code might fall some way short of being secure against a variety of nasty attack vectors.

It always surprises me that people think accepting any old HTML is easy; I'm not suggesting that the vBulletin developers think that, but the existence of this thread implies that some people just don't get the risks. For example,

can be FTpWn on IE6 (depending on how it's been patched). Replace that alert(\"XSS\") with something like...well, better not say, but I could probably get the cookies of everybody using such an IE6 installation, log in here as any of them, and say some things in their name that they might not agree with

Cross-site scripting (XSS) is very hard to guard against; even Google, Yahoo!, and Microsoft fall victim to it occasionally. When I was at Y! there was an internal beta that was supposed to have gone through all the internal security reviews, which are unbelievably meticulous. About five minutes after we'd received the email inviting us to try it, my colleague at the next desk burst out laughing and cried "Cross-site scripting in the comments!"

In Y!'s defence, it turned out the project team had made changes after the Paranoids' review; if they hadn't been a bunch of student interns doing a summer project, they would have been summarily dismissed for such a gross breach of security processes. As it was, they learnt that Y! Europe are the ones Y! California have to be wary of

No Nick what I said was "Cross stitching never a dull moment"

Sorry for any misunderstanding

Ah crap, so much for my edit removing his name

Still, I don't suppose he'll ever see this, or care about it if he does

You don't need html tags for images, vBulletin has an [IMG] tag. It just needs to be re-enabled.

C'mon Nick you disappoint me! Shirley you can edit my post quoting your post to remove the offending word.....
Oh but that will still leave the possibility of him deducing the reference from my UserName

Could you edit the CUK database changing all references to my User! (or even just change my UserName)......

Or possibly just leave it!

I'm on a forum which limited what HTML could be used, but allowed the style tag. Someone figured out how to make a post which would change others' avatars, etc.

Another forum I'm on allows you to put arbitrary Flash in your posts/sigs. Hugely annoying and I'm perhaps a gaping security hole too?

Even if it was allowed back, someone would post an offensive image deliberately in order to get it removed.

Not all posters to CUK are altruistic or nice people.