User-defined CSS?

[SamIO]

Managing [DIV]s is pretty messy, especially with the usual inconsistent line-breaking behavior that comes with most forums.

Aside from the large blocks of structural code that make post sources hard to read and maintain, there's a lot of missed code reuse from all that repetition.

User-defined HTML/CSS is generally forbidden on forums, and for good reason, which is why we have bbCode instead. But I know I've seen it handled well on some in the past.

My suggestion would be to add a bbCode tag that makes use of something like iFrames to isolate the site view from potentially malicious CSS, and requiring users to write any kind of CSS onto these frames.

I'm a huge fan of experimenting with this kind of stuff when roleplaying, and it would be made a lot easier with something that allowed me to make use of CSS, or something similar to pull the styling out of the content portion of my posts.

 

[Pahn]

I think @Diana explained it once that while CSS is great and would allow for more freedom for coding, it might give too much freedom in the sense that it could become easy to hide malicious things in the code. I could be wrong and totally misremembering though (which is why I tagged her)

 

[SamIO]

So I've been doing some looking around to learn more about the security risks of user-defined CSS and it seems that the issue of embedded JS is can be approached with the Sandbox attribute (iFrames already isolate the site from malicious CSS by preventing styling from affecting anything outside of the iFrame). This prevents a variety of dynamic behaviors that a malicious user could exploit to attack a viewer's browser.

The way I think this could be handled safely is that the user would write a [STYLE="<User-Defined CSS>"] tag. This would generate a sandboxed iFrame and fill it with the same kind of bbCode-parsed content that we would expect to get from any other part of a post. Then a modified [DIV="<Inline-Style>"|"<CSS Classes>"] tag would allow a user to make use of the CSS defined at the iFrame level.

This keeps everything neat and contained within a safe context which, if abused, can only affect the specific area within this tag and not the rest of the site or a viewer's browser. If a malicious user wants to make an eyesore they already have [DIV]s for that; that's about the best they can hope to accomplish within these boundaries.

No overriding site-level CSS and making the entire thread page a hazard, no injected JS, and no more threat of eyesore than we already have. I really think this is worth consideration.

 

[Diana]

The simple answer is that this specific feature is too complicated for me to implement!

What is possible for Iwaku is limited by A) what is available and supported at xenforo.com, and then B) my personal skill level. Then it has to be decided whether or not this added feature is actually necessary and worth the effort. Advanced bbcodes are fun for aesthetics but they're not a high priority, so if it's not something we can implement easily, we look for other options. There's only so many things I can make doable in the editor, and this particular suggestion is not one I can do. O: If you get more specific with what kind of things you wanna do in a bbcode, it's more likely I can make something for that.

An exception though: frames. I won't make frames bbcodes. People could use frames to load other websites into their posts, and there's a pain in the butt. ]:< (that was a really creative suggestion for getting around css issues though!)


Because I know this suggestion is coming next: People like to volunteer to do scripting for the site, but I'm unable accept those offers. D: There is no guarantee that a member will be here three months down the line, a year down the line, or longer, to be able to keep up with updates and support. We have enough trouble with recommended addons off the xenforo site, and those peeps do coding for a living. O: We have to be picky and hardass about some stuff just to make it easier for us to do regular updates without inconveniencing members with features coming and going. (This has been a big problem for us this year, you can see it in the announcements T_T)