Topic: Please view my forum...

[dannyluked]

Hi,
I have recentley made a forum! Please test it, and tell me how it looks on your browser. I'm not too bothered about the code for the moment just functionality, looks and usability.
Test with;
Username: test
passowrd: test

My forum is here: http://dannyluked.comze.com/forum

Please only comment on the forum as I have another thread to comment on the rest of the site...here

[corrupshun]

looks like it works well but the only problem i had was the size of the forum, kinda small.
or is that the way you wanted it?

[dannyluked]

The way I wanted, sortof!
I could have made it wider but I wanted it to be inside the site rather than attached (I wanted to keep the lefta nd right of the site)
Thanks for the comment...

[Adam]

Not keen on the look, too small and basic -- looks like it would be awkward to use on a regular basis. The white pages that appear after you've done something like make a post are really.. unattractive. When you modify a post especially you're left with no link forward, and you have to click the back button twice in order to get back to the topic or even a link to the board index.

Functionality wise it has all the necessities but lacks any of the more "miscellaneous" features such as formatting, attachments, notifications(?), etc, etc. You should also perhaps try to think of something unique you can add to your forum that would grab some attention - depending on what kind project this is for you.

The navigation I found is quite bizarre. The forum link (although active) should still be clickable. People will probably more often than not spot that link hoping to take them back to the board index, before the actual 'board index' breadcrumb or the "Forum" link right below it (which seems odd to extend the menu down for just one link), and get frustrated if it isn't actually a link. I also couldn't find the 'modify profile' section easily. I was expecting it to be somewhere within the forum tab, as it's a forum profile, but instead was hidden away in the members page as a barely noticeable link in the top right.

Not a bad effort though, just needs work.

[dannyluked]

Thanks for the good 'review'.
I am next goint to be looking at introducing BBcode. This would make the forum a lot better but when looking for info about bbcode I am struggling to find some help!.
I will add another profile button on the forum page right away!
The forum is mainly to practice my PHP but if good enough I may use it if I go into PHP when I'm older! It is ment to be simple so that when implemented on someones site (e.g. client...) they will be able to use it even with basic computer knowledge. If they did want a complicated forum I would just install one!!
I am not 100% keen on the white page messages but I dont like forwarding users straight to a page. I feel it is like someone is controlling you!

Thanks for the comment again!!

[dannyluked]

UPDATE: I have now changed the navigation accordingly and I have added formatting. Please continue to review and update me on any thoughts. BBcode is now enabled also

[corrupshun]

alright, one thing i should say is that you should not put the ip address in the <input hidden> option, because people could edit this and pretend.. (although i didn't see the code, i just assume)
oh also: the BBcode, looks good, i can't seem to xss it but i can make it looked fucked up (just a little)
http://dannyluked.comze.com/forum/view_topic.php?id=38
edit:

I REALLY fucked it up

Code: [Select]

[img]http://'/><img src='http://dannyluked.comze.com/inc/img/Bottom.png' height='9000' width='9000[/img]put that in it

[corrupshun]

sorry for double posting but couldn't find modify anymore..
So yeah i found XSS

Code: [Select]

[img]http://dannyluked.comze.com/inc/img/Bottom.png' border='20' onClick=javascript:alert('XSS') width='200[/img]

[dannyluked]

sorry for double posting but couldn't find modify anymore..
So yeah i found XSS

Code: [Select]

[img]http://dannyluked.comze.com/inc/img/Bottom.png' border='20' onClick=javascript:alert('XSS') width='200[/img]

Hi, Thanks for testing. I was just wondering if you could ellaborat more on the above post! I think I have stopped the onclick functon along with some others!

[Adam]

He means that your BB code parser allows users to 'inject' JavaScript through the 'onclick' attribute (most likely all other event attributes too); you need to filter any XSS attempts like these out.

[corrupshun]

to add to MrAdam,
if a random visitor was to put that in the post box, they could inject javascript into the code, they could also add more css elements to completely destroy the page.
i would make it so that the user cannot type a ' in the code
also filter onclick, onblur, onload, onunload, onchange, onsubmit, onmouseover, and onmouseout

[dannyluked]

to add to MrAdam,
if a random visitor was to put that in the post box, they could inject javascript into the code, they could also add more css elements to completely destroy the page.
i would make it so that the user cannot type a ' in the code
also filter onclick, onblur, onload, onunload, onchange, onsubmit, onmouseover, and onmouseout

Thanks for the reply but I cant filter ' because some websites contain the (i think!) Is there anything else I need to filter apart from the ones mentioned?

[corrupshun]

websites do not have ' in the url
it's not allowed

[Adam]

websites do not have ' in the url
it's not allowed

Technically file names can contain a ', however it's highly unlikely you'll ever come across it.

Is there anything else I need to filter apart from the ones mentioned?

Personally I'd think about the parameters that are allowed, as opposed to which you need to filter out.

[corrupshun]

Personally I'd think about the parameters that are allowed, as opposed to which you need to filter out.

Exactly.