exx8 wrote:DavidIQ wrote:exx8 wrote:Shall I bring the context?
Actually, is it relevant if it belongs to the notifications feature or the extensions feature?
Sure is relevant. One is part of the core (notifications) while the other one isn't (extensions) and even for the latter it was only a possible issue for a small fraction of extensions, not to mention the extension needed to be badly written. Nice try though.
The writer meant, that by sending a request to phpbb file, you were able to begin an infinite loop. We can see that he doesn't mean to extensions because, when he begins talking about extensions, he says it clearly:
Further, once you installed an extension,
That makes it pretty clear that it requires an extension and is not an issue on its own. Thanks for clearing that up.
exx8 wrote:By the way, you have yet to present any vulnerabilities, that will risk the board's security. The only argument you presented is that XSS issues might need to be taken care, though is easy to solve, and actually, there is a php function that deals this exact task.
No really risk for SQL injection or something that risks the database.
As I've said already there is a possibility of XSS when you factor in that this depends on the BBcode work that has been done elsewhere, even though that might not be an issue. Even then the WYSIWYG library could be susceptible to them. If you don't consider XSS to be a security issue then you have no business talking about security.
Also you have not provided anything constructive in this discussion. You've started with a bunch of complaint comments about how phpBB not having a WYSIWYG editor makes it fall behind other products and how it's so useles to not have it, and other things, which do absolutely nothing to help anything at all. If you have nothing constructive to say to help with the completion of the work to get the WYSIWYG editor into 3.2 then there is no reason for you to continue replying. Bottom line is there will be a WYSIWYG editor in 3.2 IF the work is done. If not then expect it in the following version. People complaining like you have don't help that at all. It likely has the opposite effect. Therefore if this derailment of actual RFC discussion continues then those posts, yours or anyone else's, will be deleted.