HTML abuse in PMs
 

Earlier today I received a few PMs with download links embedded in <img> HTML tags.

The links were to Linux ISOs which were about 4GB each, and Graal tried to automatically download the files when I opened the PM.

I'm concerned because somebody could use the same method to link to more malicious files, and Graal no longer has an option to disable HTML in PMs.

I just heard about this, myself. Even if we had an option to "disable HTML" implemented, now, people who choose not to disable it would be still prone. It wasn't so fun even getting PMs of ACTUAL images, at times, when the image itself was bigger than the PM window. Maybe HTML tags such as IMG need to be entirely removed.

I like images in HTMLs.

Lucas has been hosting a lot of cool events on Era making excellent use of images in PMs to describe the event and such.

ISO is technically an image format though, except it's an image of an executable so it's not really safe.

If there were some way to limit the img tags to gifs, pngs & jpgs, and maybe even a filesize or image dimensions limit, that'd be nice.

Yes will add a filter to only allow local server files in img tags.

Why would you want to link a local server file as an image in PM? x_x

Basic html or announcing PMs included. We did that on Era last christmas, having a christmas picture somewhere in the file browser we linked to in the news gui. Its useful.

Stefan, I think you should limit external links to ones with no extension, .html, .htm and maybe .php or .phtml.


Edit: And images, of course :o!

Useful for server staff maybe, but not for players who simply want to embed images into their private messages though.

Afaik, ISO files will NOT execute on their own, ever. I dont know of any program that auto opens them when you download them, and as long as you dont open it, who cares. Just delete it.

And Stefan, making it so only local images can be displayed with IMG tags kinda defeats the purpose of it. How about making a serveroption for "trusted domains" that staff could alter? Sorta like...

trusteddomains=imageshack.com,photobucket.com,graa lonline.com

And so fourth. Just throwing it out there..

True ;f

Haha Linux pride!

Anyhoo, perhaps just filter out remote files > 2mb (screw BMPs) and to .jpg, .gif and .png.

As far as I know, ISO files aren't executable.

And I'm pretty sure that the files in question are archive files complete with all files and filesystem metadata in order to represent an optical disc.

On the other hand, it's possible to append large files onto a jpg image and <img> tag them.

You know, PM windows could be so much better. Going a little off topic, but I think PM's would be much better if they used something like BB Code along side a WYSIWYG or standard editor. The current features are pretty hidden, and not everyone knows you can embed images, but why? There probably should be a smileys menu instead of relying on going to the forums, and there should be a list of features somewhere.

Hmm.. heres a quick example mockup..

Nice ;)

I agree.
I think the PM windows should look something like this.

Would be interesting if someone could script that, may be for the start add some "<b>" tags and similar.

For filtering it will allow the npcserver to send any tags, but filter the PMs of players to not allow urls, only local server files.

But... i'll miss the not straight pr0nz people send out in mass pms :cry::cry::cry::cry::cry::cry::cry:

I've added logs for img-tags, will add filters later.

Update: it seems the img-tag it is almost always used for displaying event screenshots or similar. So it might be better to only filter out bad file extensions (only allow png, jpg etc.) and add a check in the next Graal version to not download big files.

Somewhat similar to what I said. Yep, would be cool.

The filter is now active, and sends an admin message if there is an illegal img-tag. I've also banned someone for 3 days for sending iso-links. If there are any problems with the filter then please tell me.

I've just tested it with Crono and it doesn't seem to report to RC? It probably should, not sure.

It's not logging to RC, its logging in a central log. Could also display it on normal RC chat if wanted.

Would be neat :)

bump

Did anyone script something like that already ?

There was one on Unholy Nation, but it was a little over the top with features and I don't think anyone actually used it because of that.

funny, that system actually was abandoned. it was supposed to be like, the next big thing and draw people to the server, but it was shortly ditched. it was supposed to be like a live chat, where you could send youtube videos attached to the chat, and pictures, coloured fonts, etc. you could aslo upload a picture as your avatar. it's still on unholy dev.


it wasn't that great tbh.

Well but I mean is there some improved PM text editor?

I don't think so.

Stefan, if you give us the name of the scripted PM window GUI objects we could probably do it ourselves.

I'm sure you could just loop through like this...

The text of the scripted PM control is not accessible to scripts, so it would be better to try it with normal GuiMLTextEditCtrl and then later give me the code.

Elizabeth, you're a weirdo.

The system was never abandoned. I'm just waiting for Stefan to get off his fat butt and release a public graal client that supports external windows ;)

And the current version of GIM makes the old one look like utter crap. Your sentiment is understandable since the old one is the only version you've ever seen.

Here's a recent screenshot:

http://dragonstrength.com/gim_vis_ss1.jpg

i lol'd. looks good, though.

All that stuff is scripted now, so it should be possible to introduce a better system if I understand correctly.


The whole Graal GUI desperately needs a overhaul and some standards set so servers can also follow them in their own GUIs (settings, etc). Removes unnecessary learning curves and just makes the trivial things less tedious.

i like the current playerlist, i'd rather have it than have people spamming servers up with their size 36 bolded underlined and italics rainbow coloured font. not to mention it's easier for people to mass pictures, masses are going to be spammed with them.

Well people can already do that right now, it's just requiring a little bit more effort :)

Hmm. Would be neat to actually filter images properly tho? ".jpg" does not mean the file is a picture at all. It just means the extension is .jpg and the computer then knows what application to use to execute/open/run it. You can make harmfull files and rename them to .jpg. So I think filtering just names would be bad, but filter the images correctly. Check headers or what not to verify them? plz.

Anyone know if JavaScript still works in pm's that was highly abusive and used to be used back in the day to scam the hell out of people on Graal Kingdoms. I had that happen to me with my brothers items many many years ago.

Now I am not saying, "OMG pm's epic fail". I am only saying just because no one has found a way to use an image file for abuse sich as the Gif, Tif, and other overflows that I do remember circulating around the internet years ago. But in the same sence, if you leave your wallet on the floor at walmart and no one steals it does it mean thats a safe place to store your money? Not at all, never assume nothing bad will happen (prevent it) before it happens. Great lesson of life to learn everyone.

If this topic wasn't so old and already pretty much remedied, I would praise your analogy.

Would also be great if a limit was placed on animated smilies in PMs. I assume the text ': D' is just being replaced with the image code for :D when displaying PMs, so it should be easy to only display 10 or so smilies per PM. We had to block :D, :spam:, :cry:, :rolleyes:, !pissed!, :asleep:, :confused:, and :megaeek: on Era because they were being massed out and crashing everyone's client when they opened them.