test content
What is the Arc Client?
Install Arc

testing, bug-hunting, and finding exploits

13468956

Comments

  • dabelgravedabelgrave Posts: 83 Arc User
    > @tehbubbaloo said:
    > i know that both lithium and jive provide a dedicated tech on-hand to undertake the setup, import, and transition into their environments. doesnt vanilla do the same? if not, i am kind of shocked!

    According to Vanilla: In most cases, we can import all the data from your existing forum to Vanilla. This includes passwords, images, emoticons, uploaded files, private messages, banned users, and more. We will also work with you to ensure that your SEO ranking is maintained and that any key functionality is preserved. (http://vanillaforums.com/resources/migration)

    I expect Trendy and the other CMs are working closely with Vanilla on this. What I am more interested in is what Vanilla features we're going to get: http://vanillaforums.com/info/plugins and if we're going to hit the page view limits mentioned in http://vanillaforums.com/plans
  • asterelleasterelle Posts: 368 Arc User
    > @dabelgrave said:
    > if we're going to hit the page view limits mentioned in http://vanillaforums.com/plans

    Hmm, well PWI has had about 3m posts over 6 years with rougly 500 views for every post which works out to 20m views per month. Even if PWI is only say 1/3 as active as it's average that's still 7m views a month for one game. I'm assuming though a lot won't transition to the new forum so that would be like 4m views a month.

    Start including other big name titles like Neverwinter and STO and that's probably getting close to 20m (I think those games are more healthy than PWI atm). Throw in the other 8 games being migrated like Forsaken World and Jade Dynasty plus the 4 or 5 that are already here and it should be probably around 25m monthly views or so.

    I'm sure they have worked out a pricing deal with vanillaforum though.
  • asterelleasterelle Posts: 368 Arc User
    edited May 2015
    <a href="javascript:alert('Are they going to let you do this?')">Testing an idea I had</a>
    <a href="http://pwi-forum.perfectworld.com">Ehh I guess it didn't work.</a>
    Wait so we can't do formatting <b>at all</b> anymore? #sadface
    Post edited by asterelle on
  • genjutsugenjutsu Posts: 1
    Lots of craziness in this thread.
    <a href="javascript:alert('really?')">Testing</a> - <a href="http://www.arcgames.com/en/forums#/profile">Links work or not?</a>

    <img src="http://i.imgur.com/vtubTRw.png>
  • gulberatgulberat Posts: 400 Arc User
    I actually would not be surprised if the CM's are not stripping out all the code in this thread right now, so they have an example to point to, to whoever they are working with on fixing this and/or determining if this is really the right forum solution.

    Christian Gaming Community Fleets--Faith, Fun, and Fellowship! See the website and PM for more. :-)
    Proudly F2P.  Signature image by gulberat. Avatar image by balsavor.deviantart.com.
  • nrglgnrglg Posts: 347 Arc User
    edited May 2015
    I don't think they've fixed anything yet...just a bandage that doesn't really work, at least not against people like me. If I said how to do it, you'd all be stunned how stupidly simple it was.

    GAME FORUMS (Direct Link & Arc Frame)
    Hub | Arc | PWI | FW | NW | STO | SO | BLR | JD | BOI | CO | WOI
    Hub | Arc | PWI | FW | NW | STO | SO | BLR | JD | BOI | CO | WOI
    Forum Enhancements and Visual Improvements
    (Greasemonkey/Tampermonkey and/or Stylish required)
    PWI vBulletin Forum Data Dumps and Backups
  • asterelleasterelle Posts: 368 Arc User
    I'll take a guess on how you did it
  • nrglgnrglg Posts: 347 Arc User
    edited May 2015
    Ha ha ha. Well then. I suppose it was a good idea for them to take more time to sort this out, because clearly removing the graphical elements to the text box stopped nothing.
    Post edited by nrglg on

    GAME FORUMS (Direct Link & Arc Frame)
    Hub | Arc | PWI | FW | NW | STO | SO | BLR | JD | BOI | CO | WOI
    Hub | Arc | PWI | FW | NW | STO | SO | BLR | JD | BOI | CO | WOI
    Forum Enhancements and Visual Improvements
    (Greasemonkey/Tampermonkey and/or Stylish required)
    PWI vBulletin Forum Data Dumps and Backups
  • dabelgravedabelgrave Posts: 83 Arc User
    edited May 2015
    <p style="background-color:#006600;">So typing <span style="color#ff0000;">html</span> formatting still works?</p>
    Post edited by dabelgrave on
  • nrglgnrglg Posts: 347 Arc User
    edited May 2015
    Yes it does. Although I won't share how to do it right now as they are attempting to fix it. If after they supposedly fix it, I can still do it, then I will share how so that they can deal with it.
    Post edited by nrglg on

    GAME FORUMS (Direct Link & Arc Frame)
    Hub | Arc | PWI | FW | NW | STO | SO | BLR | JD | BOI | CO | WOI
    Hub | Arc | PWI | FW | NW | STO | SO | BLR | JD | BOI | CO | WOI
    Forum Enhancements and Visual Improvements
    (Greasemonkey/Tampermonkey and/or Stylish required)
    PWI vBulletin Forum Data Dumps and Backups
  • asterelleasterelle Posts: 368 Arc User
    I'm not convinced they know what the issue is and it's not like anyone is really using this forum atm.

    @dabelgrave: All what they did was remove the wysiwyg editor from the client. If you remember that editor had a toggle button on it that switched modes from text to html and it defaulted to text. As far as the server is concerned you are still allowed to type in html as long as you switch modes on the browser client first.

    That can be done easily through the DOM inspector or with the javascript console (from the hosted site, not iframe): $('#Form_Format').val('html')

    The fact that anyone would think about modifying the web client instead of adding proper restrictions on the server-side is a little troubling.
  • dabelgravedabelgrave Posts: 83 Arc User
    edited May 2015
    I thought it was something like that, but it's just a little bit beyond me at the moment so easy a Pakled could do it.
    Post edited by dabelgrave on
  • sheydralesheydrale Posts: 1 Arc User
    edited May 2015
    Hey guys and gals,

    It's weird to see our next new forum. But meanwhile i'm confident that this will be great after migration!

    So now, let me see and testing our (normal) options/features ... Here we go!


    Color [BBC/Hexacode]
    [COLOR="#800000"]Color[/Color]

    Color [HTML/Hexacode]
    <font color="#800000"> Color </font>

    Color [HTML/Colorname]
    <font color="blue">Blue</font>

    Color [BBC/Colorname]

    [color=yellow]Gelb[/color]


    BBC Size
    [SIZE=1] Size 1 [/Size]


    Sub:
    H[sub]2[/sub]O

    Sup:
    [sup]Up[/sup]

    Tooltip:
    [tooltip text="Here your advert could appeare soon!"]Here your advert could appeare soon![/tooltip]


    Fonttype [HTML]

    <p><b>b</b></p>
    <p><strong>strong</strong></p>
    <i>i</i>
    <em>em</em>


    Fonttype [BBC]

    [B]b[/B]



    Oh well, works fine. *laugh*
    Post edited by sheydrale on
  • nyniknynik Posts: 1,563 Arc User
    Just testing if the signature works. I think it is appropriate.

  • xtern1tyxtern1ty Posts: 864 Arc User
    @dabelgrave, nice of you to post links. :)

    Those new security features are cool, though they probably won't deploy SSL or encryption for a mere forum :( (it's usually reserved for banks, corporate use, etc..)... the multilingual, troll marking, tagging and group features sound useful also. Might bring some confusion though if admins sign in as real members as it says under the spoof feature. AKISMET spam blocking sounds like a must.

    As for some of the html customizations tested in this thread, looks like it may be part of the features this comes with - see http://vanillaforums.com/info/plugins underHTML and CSS control. If so our devs should be able to tell Vanilla what they want or don't and their coders modify accordingly.

    a few tests below:

    {@}

    <div style="position:right; background-color:#000ff;"><style="font-size:35px;font-weight:italic;">styletest</style></div>

    <style="color:#000ff">colortest</style>

    below probably won't show? :

    <span class="VideoWrap"><span class="Video YouTube" data-youtube="youtube-qyou27LvCQw?autoplay=1"><span class="VideoPreview"><a href="//www.youtube.com/watch?v=9TcNY4a1GL4"><img src="//img.youtube.com/vi/qyou27LvCQw/0.jpg" width="640" height="385" border="0"></a></span><span class="VideoPlayer"></span></span></span>
    [img][/img]hcSfM9O.gif
  • dabelgravedabelgrave Posts: 83 Arc User
    @xtern1ty said:

    dabelgrave, nice of you to post links. :)

    Yeah, the spoofing by mods mentioned in the features kinda bothers me. I can't speak for anyone else, but it would bother me to be impersonated, not that there's a big chance that it would actually happen.

    As for the html/css, they more or less just removed the editor controls without changing the form. I now have a greater understanding of the major concerns I've been hearing about these forums.

  • xtern1tyxtern1ty Posts: 864 Arc User
    > @dabelgrave said:
    >
    > Yeah, the spoofing by mods mentioned in the features kinda bothers me. I can't speak for anyone else, but it would bother me to be impersonated, not that there's a big chance that it would actually happen.


    Agreed, don't think there's much to worry on that. Security and spam/troll control should be of more urgent concern.

    They will probably return the controls soon they're finished fixing.

    I haven't heard any indication yet on signature image size, whether same as the one in sto or not. There it is 500x150 and 50kb limit I believe. Would be nice to upload a little bigger file size than that though.
    [img][/img]hcSfM9O.gif
  • gulberatgulberat Posts: 400 Arc User
    I think that there is a way to get everything set up properly, but if what I am reading is correct, it will require Vanilla staff to work with PWE, and PWE cannot do it alone. Considering that LaughingTrendy slammed the brakes on the migration heading into the weekend, I think we need to be patient and let her (and the other CM's) have adequate time to work things out between PWE and Vanilla, as there may some back-and-forth that has to happen before go-live.

    Christian Gaming Community Fleets--Faith, Fun, and Fellowship! See the website and PM for more. :-)
    Proudly F2P.  Signature image by gulberat. Avatar image by balsavor.deviantart.com.
  • mrmusimrmusi Posts: 24 Arc User
    edited May 2015
    It seems they've "fixed" a few things. But with the move scheduled for tomorrow, I doubt it will be good enough.

    Oh and <Insert Test Here>.

    Edit1: RIP Arrow brackets. And more testing. Oh that's nice, I like having a red name. You know, confusing everyone who thinks red name => admin (not usually a bad assumption).

    Edit2: Purple > Red, but the danger of changing a name's properties still exists.

    Edit3: Just checking some more signature stuff.
    Post edited by mrmusi on
    As I get better and better gear I find that skill is worth a lot more. Frankly, seeing a +12 person who seems to not know how to use a genie is disgusting.

    Oh well, why not check out my PWI Toon?
  • nrglgnrglg Posts: 347 Arc User
    edited May 2015
    They delayed the move and nothing has been fixed. Absolutely Nothing Yet!

    You can read about the delay here: http://www.arcgames.com/en/arc-news/detail/9222813-announcement%3A-portal-wide-migration-changes
    Post edited by nrglg on

    GAME FORUMS (Direct Link & Arc Frame)
    Hub | Arc | PWI | FW | NW | STO | SO | BLR | JD | BOI | CO | WOI
    Hub | Arc | PWI | FW | NW | STO | SO | BLR | JD | BOI | CO | WOI
    Forum Enhancements and Visual Improvements
    (Greasemonkey/Tampermonkey and/or Stylish required)
    PWI vBulletin Forum Data Dumps and Backups
  • gulberatgulberat Posts: 400 Arc User
    edited May 2015
    Like I said, I'm pretty sure the proper fix here will require collaboration between PWE and Vanilla staffs, and without that, I don't think you will see any real changes.

    Christian Gaming Community Fleets--Faith, Fun, and Fellowship! See the website and PM for more. :-)
    Proudly F2P.  Signature image by gulberat. Avatar image by balsavor.deviantart.com.
  • krittycatkrittycat Posts: 4,187 Community Moderator
    Hmm... gotta say, some of the things being pointed out are pretty glaring. Hopefully they have a way of easily distinguishing Admins/Mods that can't be mimicked by simple format editing. =/
  • nrglgnrglg Posts: 347 Arc User
    gulberat said:
    Like I said, I'm pretty sure the proper fix here will require collaboration between PWE and Vanilla staffs, and without that, I don't think you will see any real changes.
    I know that. That's why I said way above I didn't want anyone to know how I was bypassing their visual "fixes." I'm also waiting to see the real fixes, which they have no timeline on I noticed...

    GAME FORUMS (Direct Link & Arc Frame)
    Hub | Arc | PWI | FW | NW | STO | SO | BLR | JD | BOI | CO | WOI
    Hub | Arc | PWI | FW | NW | STO | SO | BLR | JD | BOI | CO | WOI
    Forum Enhancements and Visual Improvements
    (Greasemonkey/Tampermonkey and/or Stylish required)
    PWI vBulletin Forum Data Dumps and Backups
  • nrglgnrglg Posts: 347 Arc User
    edited May 2015
    I found how they could fix it. It's literally a small configuration change. It took me all of 7/8 minutes to find it, including the time it took to go and get the vanilla forums source. This must be some sort of joke.

    For those interested, here are the format types supported (they all work right now): Html, Wysiwyg, Markdown, BBCode, Text

    To PWE, here's the fix for free:
    // Insert this somewhere in your configuration file
    $Configuration = true;

    Change this in your configuration file
    P.S. You can only get one
    $Configuration = "Text";
    $Configuration = "BBCode";
    $Configuration = "Markdown";

    Before anyone goes too wild. Note that I believe this is it, but considering my 7/8 minute inspection time, I'm going to look through the code a bit longer and see if there's anything else.
    Final Edit: Well, I found nothing else. This does in fact appear to be the solution. This just makes PWE look really bad...I mean, I know you will say they already look bad, but this...this is a new level of bad. They took the time to remove the graphical elements of the form, when it should've only taken a few minutes to find the real way to fix it.
    Post edited by nrglg on

    GAME FORUMS (Direct Link & Arc Frame)
    Hub | Arc | PWI | FW | NW | STO | SO | BLR | JD | BOI | CO | WOI
    Hub | Arc | PWI | FW | NW | STO | SO | BLR | JD | BOI | CO | WOI
    Forum Enhancements and Visual Improvements
    (Greasemonkey/Tampermonkey and/or Stylish required)
    PWI vBulletin Forum Data Dumps and Backups
  • opkossyopkossy Posts: 11,177 Community Moderator
    They took over two years and still haven't changed a simple font color on the vBulletin forums we're on. Does it really surprise you in the slightest that a 10 minute fix is something seemingly beyond them?
    (Insert fancy image here)
    image
  • nrglgnrglg Posts: 347 Arc User
    edited May 2015

    No, but I was attempting to be positive previously. This is just more depressing to me than I anticipated...that is, I expected it to be something easy, but not this easy.

    Edit/Markdown Removal: Markdown support confirmed. They even support nested lists. I almost want markdown instead of BBCode...except for the fact that it will break so much old stuff. That is, unless they import it with the "BBCode" setting. Which from my search of the source, is very possible. However, if anything imported with this setting is changed, it would be changed to Markdown if they fixed it how I mentioned above.

    Post edited by nrglg on

    GAME FORUMS (Direct Link & Arc Frame)
    Hub | Arc | PWI | FW | NW | STO | SO | BLR | JD | BOI | CO | WOI
    Hub | Arc | PWI | FW | NW | STO | SO | BLR | JD | BOI | CO | WOI
    Forum Enhancements and Visual Improvements
    (Greasemonkey/Tampermonkey and/or Stylish required)
    PWI vBulletin Forum Data Dumps and Backups
  • asterelleasterelle Posts: 368 Arc User
    edited May 2015
    Honestly I think they must be using a really old version of Vanilla forums.

    If you look here line 93: https://github.com/vanilla/vanilla/blob/master/conf/config-defaults.php

    There is a setting
    $Configuration['Garden']['Html']['SafeStyles']                  = TRUE; // disallow style/class attributes in html to prevent click jacking
    That setting has been there since 2012.

    Edit: - Ohh nm, I think that setting gets disabled when you use the Wysiwyg editor (maybe that's why they tried to remove it?). If you want to use the wysiwyg editor you're supposed to install the 'HTML Purifier' plugin. You can download it here. It's not that hard to google this stuff... it's been a known issue since 2010.

    The fix from @nrglg would also break the wysiwyg editor since that thing is built on html input. Honestly I don't think most people could cope without having some kind of rich editor that adds the tags for font colors and whatnot.
  • xtern1tyxtern1ty Posts: 864 Arc User
    @asterelle, @dabelgrave,

    See if you can send me a message from the inbox, I started a convo and tested add user, check if it worked please.
    [img][/img]hcSfM9O.gif
  • eirghaneirghan Posts: 669 Arc User
    As a not very tech savvy player thanks to you guys who know how to break stuff. Also thanks to PWE team for doing the right thing and postponing.
    eirghan sage seeker 105♥105♥105 current gear

  • mrmusimrmusi Posts: 24 Arc User
    edited May 2015
    @eirghan Whatever it takes to get PWE to fix some problems!

    Edit: Welp, I found this yesterday (May 3rd) after they "removed" the WYSIWYG/HTML editor. Suffice it to say that all the HTML stuff is still quite possible, if not easier. I think they might have fixed some stuff on profiles, but the posts still seem pretty vulnerable.

    I like the background that was on page 2. <img src="http://i.imgur.com/ygsJ3Fn.jpg" style="position:initial; top: 0px; height: 100%; pointer-events: none;" alt="image">

    Edit2: They fixed signatures? Cool if they did!

    Edit3: Well, "fixed" is relative. Looks like everything was just parsed as plain text and put into it's own tags. Kinda like fixing cross-site scripting?

    Edit4: I wish there was a way to keep some of the customization (like the box-shadow or the option to not use 6 year old screen names) without opening up to all the vulnerabilities. I haven't looked at all the "expansive features" of Vanilla, but maybe this is an option?
    Post edited by mrmusi on
    As I get better and better gear I find that skill is worth a lot more. Frankly, seeing a +12 person who seems to not know how to use a genie is disgusting.

    Oh well, why not check out my PWI Toon?
Sign In or Register to comment.