HTML abuse in PMs

[Eranian]

Earlier today I received a few PMs with download links embedded in <img> HTML tags.

The links were to Linux ISOs which were about 4GB each, and Graal tried to automatically download the files when I opened the PM.

I'm concerned because somebody could use the same method to link to more malicious files, and Graal no longer has an option to disable HTML in PMs.

[TSAdmin]

I just heard about this, myself. Even if we had an option to "disable HTML" implemented, now, people who choose not to disable it would be still prone. It wasn't so fun even getting PMs of ACTUAL images, at times, when the image itself was bigger than the PM window. Maybe HTML tags such as IMG need to be entirely removed.

[Eranian]

I like images in HTMLs.

Lucas has been hosting a lot of cool events on Era making excellent use of images in PMs to describe the event and such.

ISO is technically an image format though, except it's an image of an executable so it's not really safe.

If there were some way to limit the img tags to gifs, pngs & jpgs, and maybe even a filesize or image dimensions limit, that'd be nice.

[Admins]

Yes will add a filter to only allow local server files in img tags.

[Rufus]

Quote:

Originally Posted by Stefan

Yes will add a filter to only allow local server files in img tags.

Why would you want to link a local server file as an image in PM?

[Crow]

Quote:

Originally Posted by Rufus

Why would you want to link a local server file as an image in PM?

Basic html or announcing PMs included. We did that on Era last christmas, having a christmas picture somewhere in the file browser we linked to in the news gui. Its useful.

Stefan, I think you should limit external links to ones with no extension, .html, .htm and maybe .php or .phtml.


Edit: And images, of course :o!

[Rufus]

Quote:

Originally Posted by Crow

Basic html or announcing PMs included. We did that on Era last christmas, having a christmas picture somewhere in the file browser we linked to in the news gui. Its useful.

Useful for server staff maybe, but not for players who simply want to embed images into their private messages though.

[xXziroXx]

Afaik, ISO files will NOT execute on their own, ever. I dont know of any program that auto opens them when you download them, and as long as you dont open it, who cares. Just delete it.

And Stefan, making it so only local images can be displayed with IMG tags kinda defeats the purpose of it. How about making a serveroption for "trusted domains" that staff could alter? Sorta like...

trusteddomains=imageshack.com,photobucket.com,graa lonline.com

And so fourth. Just throwing it out there..

[Crow]

Quote:

Originally Posted by Rufus

Useful for server staff maybe, but not for players who simply want to embed images into their private messages though.

True ;f

[Twinny]

Haha Linux pride!

Anyhoo, perhaps just filter out remote files > 2mb (screw BMPs) and to .jpg, .gif and .png.

[DrakilorP2P]

Quote:

Originally Posted by xXziroXx

Afaik, ISO files will NOT execute on their own, ever.

As far as I know, ISO files aren't executable.

Quote:

Originally Posted by Eranian

ISO is technically an image format though, except it's an image of an executable so it's not really safe.

And I'm pretty sure that the files in question are archive files complete with all files and filesystem metadata in order to represent an optical disc.

On the other hand, it's possible to append large files onto a jpg image and <img> tag them.

[Rufus]

You know, PM windows could be so much better. Going a little off topic, but I think PM's would be much better if they used something like BB Code along side a WYSIWYG or standard editor. The current features are pretty hidden, and not everyone knows you can embed images, but why? There probably should be a smileys menu instead of relying on going to the forums, and there should be a list of features somewhere.

Hmm.. heres a quick example mockup..

[Dan]

Nice

[Tigairius]

Quote:

Originally Posted by Twinny

Anyhoo, perhaps just filter out remote files > 2mb (screw BMPs) and to .jpg, .gif and .png.

I agree.

Quote:

Originally Posted by Rufus

Hmm.. heres a quick example mockup..

I think the PM windows should look something like this.

[Admins]

Would be interesting if someone could script that, may be for the start add some "<b>" tags and similar.

For filtering it will allow the npcserver to send any tags, but filter the PMs of players to not allow urls, only local server files.

[SolidSnake989]

But... i'll miss the not straight pr0nz people send out in mass pms

[Admins]

I've added logs for img-tags, will add filters later.

[Admins]

Update: it seems the img-tag it is almost always used for displaying event screenshots or similar. So it might be better to only filter out bad file extensions (only allow png, jpg etc.) and add a check in the next Graal version to not download big files.

[Crow]

Quote:

Originally Posted by Stefan

Update: it seems the img-tag it is almost always used for displaying event screenshots or similar. So it might be better to only filter out bad file extensions (only allow png, jpg etc.) and add a check in the next Graal version to not download big files.

Somewhat similar to what I said. Yep, would be cool.

[Admins]

The filter is now active, and sends an admin message if there is an illegal img-tag. I've also banned someone for 3 days for sending iso-links. If there are any problems with the filter then please tell me.

[Rufus]

Quote:

Originally Posted by Stefan

The filter is now active, and sends an admin message if there is an illegal img-tag. I've also banned someone for 3 days for sending iso-links. If there are any problems with the filter then please tell me.

I've just tested it with Crono and it doesn't seem to report to RC? It probably should, not sure.

[Admins]

Quote:

Originally Posted by Rufus

I've just tested it with Crono and it doesn't seem to report to RC? It probably should, not sure.

It's not logging to RC, its logging in a central log. Could also display it on normal RC chat if wanted.

[Crow]

Quote:

Originally Posted by Stefan

It's not logging to RC, its logging in a central log. Could also display it on normal RC chat if wanted.

Would be neat

[Luda]

Quote:

Originally Posted by rufus

you know, pm windows could be so much better. Going a little off topic, but i think pm's would be much better if they used something like bb code along side a wysiwyg or standard editor. The current features are pretty hidden, and not everyone knows you can embed images, but why? There probably should be a smileys menu instead of relying on going to the forums, and there should be a list of features somewhere.

Hmm.. Heres a quick example mockup..

bump

[Admins]

Did anyone script something like that already ?

[Rufus]

Quote:

Originally Posted by Stefan

Did anyone script something like that already ?

There was one on Unholy Nation, but it was a little over the top with features and I don't think anyone actually used it because of that.

[Elizabeth]

Quote:

Originally Posted by Rufus

There was one on Unholy Nation, but it was a little over the top with features and I don't think anyone actually used it because of that.

funny, that system actually was abandoned. it was supposed to be like, the next big thing and draw people to the server, but it was shortly ditched. it was supposed to be like a live chat, where you could send youtube videos attached to the chat, and pictures, coloured fonts, etc. you could aslo upload a picture as your avatar. it's still on unholy dev.


it wasn't that great tbh.

[Admins]

Well but I mean is there some improved PM text editor?

[Rufus]

Quote:

Originally Posted by Stefan

Well but I mean is there some improved PM text editor?

I don't think so.

[WhiteDragon]

Stefan, if you give us the name of the scripted PM window GUI objects we could probably do it ourselves.

[cbk1994]

Quote:

Originally Posted by WhiteDragon

Stefan, if you give us the name of the scripted PM window GUI objects we could probably do it ourselves.

I'm sure you could just loop through like this...

PHP Code:

for (temp.control : GUIContainer.controls) {
  echo(control.name SPC "(" @ control.objecttype()  @ ")");
} 


[Admins]

The text of the scripted PM control is not accessible to scripts, so it would be better to try it with normal GuiMLTextEditCtrl and then later give me the code.

[_Zelph]

Quote:

Originally Posted by Elizabeth

funny, that system actually was abandoned. it was supposed to be like, the next big thing and draw people to the server, but it was shortly ditched. it was supposed to be like a live chat, where you could send youtube videos attached to the chat, and pictures, coloured fonts, etc. you could aslo upload a picture as your avatar. it's still on unholy dev.


it wasn't that great tbh.

Elizabeth, you're a weirdo.

The system was never abandoned. I'm just waiting for Stefan to get off his fat butt and release a public graal client that supports external windows

And the current version of GIM makes the old one look like utter crap. Your sentiment is understandable since the old one is the only version you've ever seen.

Here's a recent screenshot:

[Elizabeth]

Quote:

Originally Posted by _Zelph

Elizabeth, you're a weirdo.

The system was never abandoned. I'm just waiting for Stefan to get off his fat butt and release a public graal client that supports external windows

And the current version of GIM makes the old one look like utter crap. Your sentiment is understandable since the old one is the only version you've ever seen.

Here's a recent screenshot:

i lol'd. looks good, though.

[Stephen]

Quote:

Originally Posted by Rufus

Hmm.. heres a quick example mockup..

All that stuff is scripted now, so it should be possible to introduce a better system if I understand correctly.


The whole Graal GUI desperately needs a overhaul and some standards set so servers can also follow them in their own GUIs (settings, etc). Removes unnecessary learning curves and just makes the trivial things less tedious.

[Elizabeth]

i like the current playerlist, i'd rather have it than have people spamming servers up with their size 36 bolded underlined and italics rainbow coloured font. not to mention it's easier for people to mass pictures, masses are going to be spammed with them.

[Admins]

Well people can already do that right now, it's just requiring a little bit more effort

[scriptless]

Hmm. Would be neat to actually filter images properly tho? ".jpg" does not mean the file is a picture at all. It just means the extension is .jpg and the computer then knows what application to use to execute/open/run it. You can make harmfull files and rename them to .jpg. So I think filtering just names would be bad, but filter the images correctly. Check headers or what not to verify them? plz.

Anyone know if JavaScript still works in pm's that was highly abusive and used to be used back in the day to scam the hell out of people on Graal Kingdoms. I had that happen to me with my brothers items many many years ago.

Now I am not saying, "OMG pm's epic fail". I am only saying just because no one has found a way to use an image file for abuse sich as the Gif, Tif, and other overflows that I do remember circulating around the internet years ago. But in the same sence, if you leave your wallet on the floor at walmart and no one steals it does it mean thats a safe place to store your money? Not at all, never assume nothing bad will happen (prevent it) before it happens. Great lesson of life to learn everyone.

[12171217]

If this topic wasn't so old and already pretty much remedied, I would praise your analogy.

[cbk1994]

Would also be great if a limit was placed on animated smilies in PMs. I assume the text ': D' is just being replaced with the image code for when displaying PMs, so it should be easy to only display 10 or so smilies per PM. We had to block , , , , , , , and on Era because they were being massed out and crashing everyone's client when they opened them.