• The TMF is sponsored by Clips4sale - By supporting them, you're supporting us.
  • >>> If you cannot get into your account email me at [email protected] <<<
    Don't forget to include your username

The TMF is sponsored by:

Clips4Sale Banner

Isn't it time to let the Devil back in?

F

Fat Bastard

1st Level Orange Feather
Joined
Jun 25, 2008
Messages
2,167
Points
36
The Devil's tag, that is ...

I'm sure everyone here has seen this notification from youtube:



If Wikifeet (of all places) and the rest of the world allow iframe tags to embed clips, why can't we?

Is the forum software still vulnerable to obfuscated iframe injection attack, or is it a religious thing?
 
The software is still vulnerable to it, as far as I know.
 
Anytime you let an iframe be entered by users, you put yourself at risk. No site can protect itself entirely, as they do not control the content of the iframe. Whether forum owners allow it depends on their paranoia, but considering that we have had some ne'er-do-wells use iframes for things ranging from annoying trickery to stuff which broke the threads they were in, I doubt they are coming back.
 
Thanks for the reply HDS, but I'm still a bit confused. Are you saying a site as popular as Wikifeet is open to an iframe attack? All the embedded clips are in the user comments section, so I assume it's the same level of risk you described. I can't tell if Wikifeet uses vBulletin, but I doubt they would allow themselves to be that vulnerable.
 
Iframes let content from somewhere else (can be the same site, but also any other site) be posted. The site owner has no way to police that. They are certainly vulnerable. They have chosen to take on that risk, which is their choice. I've not seen the site, so I have no idea if they implemented some sort of complex countermeasure, but if they are allowing users to post Iframe content of their own creation, it is a risk. If your users do not do bad things, it will likely not be an issue, but as I said, we have had some nefarious posters, so we definitely will never allow it.
 
I was thinking of a more controlled use, so we could embed and view Youtube content directly. Currently your Youtube tags create an embedded flash object. Could you not validate the Youtube URL and create an iframe object as pictured below? This way users cannot just embed from any URL and we would see a clean clip instead of redirect messages all over the forum.
 

Attachments

  • Capture2.PNG
    Capture2.PNG
    8.9 KB · Views: 6
That is possible to do. If the forum software generates the iframe from specific content (YouTube being an example), then it is reasonably safe practice, as the poster does not have control of the content.

Unfortunately, what that requires is someone (me) to write a new BBCode for YouTube videos. I'll take a stab at it and see if I can get one of the examples out there to work, but the age of our forum software does make that complicated. No guarantees.
 
Now I remember why we did not do it this way. The censor that blocks iframe code also blocks BBCode iframes, so this is not possible. Sorry to disappoint. If some of our users were not so malicious, we would not have to be so careful.
 
Thanks for the explanation HDS, and no worries. The fact that the TMF is closing in on twenty years is amazing enough. No need to spend another minute on this minor aesthetic issue.
 
You must log in or register to reply here.
What's New

4/16/2024
Clips4Sale is the webs largest site to buy fetish clips! Visit today.
Tickle Experiment
Door 44
NEST 2024
Register here
The world's largest online clip store

Live Camgirls!
Live Camgirls
Streaming Videos
streaming tickling videos on demand at the TMF!
Tickling videos on demand!
Pic of the Week
Pic of the Week
Congratulations to
*** brad1701 ***
 The winner of our weekly Trivia, held every Sunday night at 11PM EST in our Chat Room
Back
Top