Is there some reason for permitting arbitrary CSS in img tags? I can certainly see that it's useful within the context of a particular post, but the ability to place images anywhere on the page (over the sidebar, over top of other people's posts, etc) just using CSS strikes me as a bizarre choice, and one that would discourage the adoption of Vanilla by any but the smallest forums, given the difficulty of policing this behavior in a community of any size. Is there somewhere that this "functionality" can be disabled?
My apologies if this has been addressed elsewhere—I wasn't able to find any posts that related directly to my concern.
No comments on this? I don't have much of a feel yet for how quickly this board moves, but let me expand a bit.
Using CSS, it's possible to place an image anywhere on the page. In addition to placing images over other people's posts, you can:
Disable an entire thread by posting an image with its position set as "fixed" and its height and width at 100%.
Replace individual navigation buttons anywhere on the page with links to sites of your choosing by nesting absolutely-positioned images in link tags.
Replace an entire sidebar with an absolutely-positioned screen shot of itself, and use an image map defined from within your post to redirect all of the links to arbitrary URLs.
Surely someone else has seen this abused on a Vanilla forum already?
Have you tried something like the KSES formatter for extra security?
That looks like it might be a reasonable solution, thanks.
So am I correct in assuming that this behavior is introduced by HTML Formatter, rather than being present in Vanilla out of the box? I'm sorry, I'm not very familiar with the ins and outs of the platform. It's not just img tags either, it's divs and such as well, but you're presumably already aware of that. I'm just curious as to why fixed and absolute positioning via CSS are permitted at all in this context.
Well out of the box vanilla only comes with a text formatter so it just spits out whatever people write without parsing it (I believe). The HTML formatter adds the abilty to use some HTML but restricts blatantly nasty stuff like javascript etc (I believe). The KSES formatter goes a step further (I think KSES is a standard of some kind?) and cuts it down to only a few elements allowed (I believe). Both these formatters have black/whitelists (I believe).