HTML abuse in PMs
 

Earlier today I received a few PMs with download links embedded in <img> HTML tags.

The links were to Linux ISOs which were about 4GB each, and Graal tried to automatically download the files when I opened the PM.

I'm concerned because somebody could use the same method to link to more malicious files, and Graal no longer has an option to disable HTML in PMs.

I just heard about this, myself. Even if we had an option to "disable HTML" implemented, now, people who choose not to disable it would be still prone. It wasn't so fun even getting PMs of ACTUAL images, at times, when the image itself was bigger than the PM window. Maybe HTML tags such as IMG need to be entirely removed.

I like images in HTMLs.

Lucas has been hosting a lot of cool events on Era making excellent use of images in PMs to describe the event and such.

ISO is technically an image format though, except it's an image of an executable so it's not really safe.

If there were some way to limit the img tags to gifs, pngs & jpgs, and maybe even a filesize or image dimensions limit, that'd be nice.

Yes will add a filter to only allow local server files in img tags.

Why would you want to link a local server file as an image in PM? x_x

Basic html or announcing PMs included. We did that on Era last christmas, having a christmas picture somewhere in the file browser we linked to in the news gui. Its useful.

Stefan, I think you should limit external links to ones with no extension, .html, .htm and maybe .php or .phtml.


Edit: And images, of course :o!

Useful for server staff maybe, but not for players who simply want to embed images into their private messages though.

Afaik, ISO files will NOT execute on their own, ever. I dont know of any program that auto opens them when you download them, and as long as you dont open it, who cares. Just delete it.

And Stefan, making it so only local images can be displayed with IMG tags kinda defeats the purpose of it. How about making a serveroption for "trusted domains" that staff could alter? Sorta like...

trusteddomains=imageshack.com,photobucket.com,graa lonline.com

And so fourth. Just throwing it out there..

True ;f

Haha Linux pride!

Anyhoo, perhaps just filter out remote files > 2mb (screw BMPs) and to .jpg, .gif and .png.

As far as I know, ISO files aren't executable.

And I'm pretty sure that the files in question are archive files complete with all files and filesystem metadata in order to represent an optical disc.

On the other hand, it's possible to append large files onto a jpg image and <img> tag them.

You know, PM windows could be so much better. Going a little off topic, but I think PM's would be much better if they used something like BB Code along side a WYSIWYG or standard editor. The current features are pretty hidden, and not everyone knows you can embed images, but why? There probably should be a smileys menu instead of relying on going to the forums, and there should be a list of features somewhere.

Hmm.. heres a quick example mockup..

Nice ;)

I agree.
I think the PM windows should look something like this.

Would be interesting if someone could script that, may be for the start add some "<b>" tags and similar.

For filtering it will allow the npcserver to send any tags, but filter the PMs of players to not allow urls, only local server files.