Jump to content

Please view my forum...


dannyluked

Recommended Posts

Hi,

I have recentley made a forum! Please test it, and tell me how it looks on your browser. I'm not too bothered about the code for the moment just functionality, looks and usability.

Test with;

Username: test

passowrd: test

 

My forum is here: http://dannyluked.comze.com/forum

 

Please only comment on the forum as I have another thread to comment on the rest of the site...here

 

Link to post
Share on other sites

Not keen on the look, too small and basic -- looks like it would be awkward to use on a regular basis. The white pages that appear after you've done something like make a post are really.. unattractive. When you modify a post especially you're left with no link forward, and you have to click the back button twice in order to get back to the topic or even a link to the board index.

 

Functionality wise it has all the necessities but lacks any of the more "miscellaneous" features such as formatting, attachments, notifications(?), etc, etc. You should also perhaps try to think of something unique you can add to your forum that would grab some attention - depending on what kind project this is for you.

 

The navigation I found is quite bizarre. The forum link (although active) should still be clickable. People will probably more often than not spot that link hoping to take them back to the board index, before the actual 'board index' breadcrumb or the "Forum" link right below it (which seems odd to extend the menu down for just one link), and get frustrated if it isn't actually a link. I also couldn't find the 'modify profile' section easily. I was expecting it to be somewhere within the forum tab, as it's a forum profile, but instead was hidden away in the members page as a barely noticeable link in the top right.

 

Not a bad effort though, just needs work.

Link to post
Share on other sites

Thanks for the good 'review'.

I am next goint to be looking at introducing BBcode. This would make the forum a lot better but when looking for info about bbcode I am struggling to find some help!.

I will add another profile button on the forum page right away!

The forum is mainly to practice my PHP but if good enough I may use it if I go into PHP when I'm older! It is ment to be simple so that when implemented on someones site (e.g. client...) they will be able to use it even with basic computer knowledge. If they did want a complicated forum I would just install one!!

I am not 100% keen on the white page messages but I dont like forwarding users straight to a page. I feel it is like someone is controlling you!

 

Thanks for the comment again!!

Link to post
Share on other sites
  • 2 weeks later...

alright, one thing i should say is that you should not put the ip address in the <input hidden> option, because people could edit this and pretend.. (although i didn't see the code, i just assume)

oh also: the BBcode, looks good, i can't seem to xss it but i can make it looked fucked up (just a little)

http://dannyluked.comze.com/forum/view_topic.php?id=38

edit:

 

I REALLY fucked it up

[img=http://'/><img src='http://dannyluked.comze.com/inc/img/Bottom.png' height='9000' width='9000]

put that in it :P

Link to post
Share on other sites

sorry for double posting but couldn't find modify anymore..

So yeah i found XSS

[img=http://dannyluked.comze.com/inc/img/Bottom.png' border='20' onClick=javascript:alert('XSS') width='200]

 

Hi, Thanks for testing. I was just wondering if you could ellaborat more on the above post! I think I have stopped the onclick functon along with some others!

Link to post
Share on other sites

He means that your BB code parser allows users to 'inject' JavaScript through the 'onclick' attribute (most likely all other event attributes too); you need to filter any XSS attempts like these out.

Link to post
Share on other sites

to add to MrAdam,

if a random visitor was to put that in the post box, they could inject javascript into the code, they could also add more css elements to completely destroy the page.

i would make it so that the user cannot type a ' in the [/img] code

also filter onclick, onblur, onload, onunload, onchange, onsubmit, onmouseover, and onmouseout

Link to post
Share on other sites

to add to MrAdam,

if a random visitor was to put that in the post box, they could inject javascript into the code, they could also add more css elements to completely destroy the page.

i would make it so that the user cannot type a ' in the [/img] code

also filter onclick, onblur, onload, onunload, onchange, onsubmit, onmouseover, and onmouseout

 

Thanks for the reply but I cant filter ' because some websites contain the (i think!) Is there anything else I need to filter apart from the ones mentioned?

Link to post
Share on other sites

websites do not have ' in the url

it's not allowed

 

Technically file names can contain a ', however it's highly unlikely you'll ever come across it.

 

Is there anything else I need to filter apart from the ones mentioned?

 

Personally I'd think about the parameters that are allowed, as opposed to which you need to filter out.

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.