unable to add images to register questions

[aasjpvm]

After mybb 1815 release, the security questions enable to add html, I use it to add images in the questions, if it was by security reasons, will be a good feature to add bbcode support instead of html, to support the image questions:

Before 1815:

After 1815:

The code added was:

[Eldenroot]

It is not a regression at all... it is safer right now after this change... anyway I see your point, maybe we can find another way.

[aasjpvm]

The easiest way that I see is to add a parser to render bbcode like with the normal post, it permit more dynamic in this option, like add images, different font type/size/position/weight.
I can collaborate making that change and posting here if you want, it add the same properties that I need without resting the security that was added with the version change mentioned.

[Eldenroot]

Feel free to open a pull request

[euantorano]

Using the parser would probably be the best option, the other option would be my_strip_tags.

[Eldenroot]

@aasjpvm - will you open a PR with fix?

Parser would be the best way how to solve this.

[Eldenroot]

We can use this regular expression:
(?i)<(?!img|/img).*?>

to replace all html and keep img tag
html.replaceAll('(?i)<(?!img|/img).*?>', '');

[MinusPL]

https://i.imgur.com/bQyvFcW.png
Seems to be working with parser. Most likely it would be nice to add few settings to ACP to let people choose what kind of parsing in questions should be possible tough, @euantorano what do you think? Add few settings for parser in registration form or just make this options constant and don't let people change them?

[euantorano]

I'd probably just hard code it. We don't need to support every option:

• No support for /me (obviously)
• No support for HTML
• No highlight
• Probably no bad word filtering since only admins can use it?

[MinusPL]

Yeah, I actually allowed all mycodes and img ones, still considering is video code is actually needed but most likely not. But for people when it is merged it would be nice to say exactly what they can use and what not in questions. For now I'll update my code with things I actually did and maybe soon create pull request.

[laietechie]

As previously mentioned, only admins can write security questions, why do we need to forbid html? If going with BB Code, why do we need to limit any tags at all?

[MinusPL]

Consider iframe as security problem. If you add source from unknow place and it uses something weird, then you also have this on your registration form. But that's my point of view, and that's why I actually tried attaching here parser.

[euantorano]

The reason for limiting the ones I listed are:

• /me: No user logged in on register (obviously), so the code can't be used
• HTML: We blocked HTML which caused this issue in the first place
• Highlight: Only used for search results
• Bad word filtering: Only admins can manage security questions. If they wish to cuss/swear, then they probably don't have a beadwork filter in place for it

@MinusPL video code probably isn't needed, but there might be somebody out there with a question like Name the character at 1:32 in the below video or something I guess...

[MinusPL]

Then I'll enable it, but looking how it would be parsed, It could completely destroy any spacing in register form, but I'll test it ;)

I'll also allow smilies, when we are giving people a way to actually customize more questions then smilies are needed :D

[dvz]

As previously mentioned, only admins can write security questions, why do we need to forbid html? If going with BB Code, why do we need to limit any tags at all?

see https://community.mybb.com/thread-219334-post-1312214.html#pid1312214; I'd consider HTML parsing for security questions controversial too as some might interpret that simply as a feature. Adding elements like <iframe>s might make sense in some cases as well.

IMO MyCode as a replacement sounds good.

[MinusPL]

Also I ran to another issue - simply security questions might require more space in database now - considering that with MyCodes they could become pretty "big" in terms of text data I ran twice to an error saying that my question is too big.