All input coming from the MyBB server/pages should be sanitized in case the server gets compromised.
Fix #1617 Sanitize input from MyBB server
Can I seriously suggest you add a setting or config option (Disable Version Checking) to remove the call to MyBB? That or just make it so a button on the admin index for "Update Info" to manually grab the info.
It should work when you disable the version check task (1.8)
@JN-Jones news and plugins and all the other stuff is still loaded in that case 😉
@labrocca Is that really needed when we make entirely sure no external code can be injected?
Only if you click on the specific link, nothing is loaded automatically then anymore.
I don't see how adding the option would would hurt. It doesn't exactly take much effort. Could even just put it in config.php rather than putting it through the main settings system...
I see in 1.8 a version check task was added. That does help to resolve the issue.
The fixes for browsing mods and themes don't work. The links to the author no display HTML and the download links are broken.
Fixes #1617 Sanitize input coming from MyBB server
@Stefan-ST thanks I will test your PR later when I get home.