Remove ability for mods to use HTML in announcements
Mod Version: 1.00, by AndrewSimm
| vB Version: 4.2.x | Rating:  (3 votes - 5.00 average) |
Installs: 12 |
| Released: 16 Nov 2013 | Last Update: Never | Downloads: 0 |
 Not Supported
 Re-usable Code
|
||
Currently if someone is able to hack into one your of moderator accounts they could use it to launch a XSS attack since they could select the option to use HTML in announcements.
To fix this open modcp/announcement.php
Change
to
All you are doing is commenting it out. You will need to do this each time you upload a new version of vbulletin.
To fix this open modcp/announcement.php
Change
Code:
print_yes_no_row($vbphrase['allow_html'], 'announcementoptions[allowhtml]', ($announcement['announcementoptions'] & $vbulletin->bf_misc_announcementoptions['allowhtml'] ? 1 : 0));
Code:
//print_yes_no_row($vbphrase['allow_html'], 'announcementoptions[allowhtml]', ($announcement['announcementoptions'] & $vbulletin->bf_misc_announcementoptions['allowhtml'] ? 1 : 0));
Download
No files for download.