Forums

Unfortunately no one can be told what FluxBB is - you have to see it for yourself.

You are not logged in.

#276 2017-11-25 03:31:47

Ryo
New member
Registered: 2017-08-10
Posts: 3

Re: FluxBB by Visman

Good job, really appreciated. Your own parser branch seems pretty useful, but is it secure enough for running live? There are quite some modifications you have made. Im looking forward to this project, keep it up. It works very well so far for me with php 7.1 and APCu. Is it worth using other caching like phpFastCache?


If we can really understand the problem, the answer will come out of it, because the answer is not separate from the problem.

Offline

#277 2017-11-25 11:11:53

Visman
Member
From: Siberia
Registered: 2010-07-10
Posts: 1,154
Website

Re: FluxBB by Visman

but is it secure enough for running live?

All output html made through htmlspecialchars() function.

    public function e($text)
    {
        return htmlspecialchars($text, $this->eFlags, 'UTF-8');
    }
    public function getHtml($id = 0)
    {
...
            $attrs = [];
            foreach ($this->data[$id]['attrs'] as $key => $val) {
                if (isset($bb['attrs'][$key])) {
                    $attrs[$key] = $this->e($val); <------------------ for attributes
                }
            }
...
            case 1:
                $text = $this->e(preg_replace('%^\x20*\n%', '', $this->data[$id]['text'])); <--- for text
                break;
            case 2:
                $text = $this->e(preg_replace('%\n\x20*$%D', '', $this->data[$id]['text'])); <--- for text
                break;
            case 3:
                $text = $this->e(preg_replace('%^\x20*\n|\n\x20*$%D', '', $this->data[$id]['text'])); <--- for text
                break;
            default:
                $text = $this->e($this->data[$id]['text']); <--- for text
                break;
        }
...

It works very well so far for me with php 7.1 and APCu. Is it worth using other caching like phpFastCache?

FluxBB supports only caching to files (include/cache.php). Further either OPcache, or APC works.

Offline

#278 2017-11-26 07:19:26

Ryo
New member
Registered: 2017-08-10
Posts: 3

Re: FluxBB by Visman

Thanks for the reply. I got a couple of form pages that passes the form field entries when submitting the form to formpost.php, resulting in a new forum topic with the form contents. Output html in the appform.php uses the pun_htmlspecialchars function, like

<input name="req_subject" type="hidden" size="25" value="<?php echo pun_htmlspecialchars($pun_user['username'] . "'s Application") ?>" />

Should I use pun_htmlspecialchars on every single output which contains only html code like this, with functions.php included in the appform.php? Or doesnt it matter, as the parser does its job in post.php?
How would you do it?

appform.php form field example:

<input type="text" name="req_message4" value="" class="size_m" required />

formpost.php is just a duplicated post.php with a few lines extra to format the inputs into the topic message area:

$message0 = pun_linebreaks(pun_trim($_POST['req_message']));
	$message1 = pun_linebreaks(pun_trim($_POST['req_message1']));
	$message2 = pun_linebreaks(pun_trim($_POST['req_message2']));
	$message3 = pun_linebreaks(pun_trim($_POST['req_message3']));
	$message4 = pun_linebreaks(pun_trim($_POST['req_message4']));

	$orig_message = $message = 
	'[quote]Information[/quote]' . "\n" .
	'[b]Name:[/b] ' . $message1 . "\n" .
	'[b]CName:[/b] ' . $message2 . "\n" .
	'[b]Reason:[/b] ' . $message3 . "\n\n" .
	'[b]Owner:[/b] ' . $message4 . "\n\n\n" .
	'[u]Forminfo End.[/u]';

And yeah, the appform.php just uses this to pass the form data, where "fid=19" is the only forum with posting permissions allowed:

<form id="post" method="post" action="formpost.php?action=post&amp;fid=19" onsubmit="return process_form(this)">
  <input type="hidden" name="csrf_hash" value="<?php echo csrf_hash() ?>" />
  <input type="hidden" name="form_sent" value="1" />

Something tells me that my form code is very insecure.
I really need to rewrite my appform, its a major mess right now. Any tips? Im using

Apart from my own form setup, my forum is running on your fluxbb code with your parser, which you confirmed my security question, using the htmlspecialchars() function. You are doing a great job!


OPcache vs APC? The reason I mentioned phpFastCache was just because of curiousity.


If we can really understand the problem, the answer will come out of it, because the answer is not separate from the problem.

Offline

#279 2017-11-26 11:09:13

Visman
Member
From: Siberia
Registered: 2010-07-10
Posts: 1,154
Website

Re: FluxBB by Visman

Something tells me that my form code is very insecure.
I really need to rewrite my appform, its a major mess right now. Any tips?

All ok, but it's better to write a variable fid

<form id="post" method="post" action="formpost.php?action=post&amp;fid=19" onsubmit="return process_form(this)">

in the code formpost.php on the server line.

OPcache vs APC? The reason I mentioned phpFastCache was just because of curiousity.

OPcache (php 5.5+) and APC (php 5.4-) - these are built-in caching engines (in php). They can automatically speed up the work with php files.
https://www.sitepoint.com/understanding-opcache/

Offline

#280 2018-03-21 05:26:21

Visman
Member
From: Siberia
Registered: 2010-07-10
Posts: 1,154
Website

Re: FluxBB by Visman

Added support for Punycode and IPv6 in the email address domain.
https://github.com/MioVisman/FluxBB_by_ … ee534c1420

Offline

#281 2018-04-16 10:42:40

roccoxyz
New member
Registered: 2018-04-16
Posts: 1

Re: FluxBB by Visman

@Visman

First nice work on this.
Could you contact me i would like to talk to you.
roccocsgoxyz@gmail.com

Or post me your discord?

Offline

Board footer

Powered by FluxBB