Enabling HTML markup (and, with it, calls to scripts, possibly malicious ones)
would create a substantial security risk. During the history of the JU forums,
I understand that HTML _was_ enabled for a while _and_ that there were some
instances of people coding annoying/malicious scripts into posted messages.
The "policy" of disabling HTML markup was adopted in reaction to these incidents.

I remember that... someone used the <bgsound> tag to play "Hey Everybody, I'm looking at gay porn!" over the speakers. I actually had to go through and quote each message to find the person who'd done it to prove to my sister that it was some prick on the internet screwing around.

Having said that, I still preferred it when HTML was enabled. Can vBulletin censor strings and use "*" to mean anything? Could it be used to replace "<bgsound*>" with "This user has attempted to include a background sound, which has been disabled by the Administrators due to a mis-use in the past."? Could "<script*>*</script>" (thus <script language="javascript">any script here</script> would be covered.) be replaced with "This user has attempted to include an advanced script, which has been disabled by the Administrators due to the potential mis-use of the technology."

You get the picture...

Is that possible?

Scripts and the sound tag are the only ones I can think of which could be mis-used.

Webtech, if you want any help on testing / finding holes before allowing HTML to everyone, I'm willing to give it a try over in the testing forum.

Also, with the new strategy of no Hotmail / Yahoo addresses on sign up, and a 30 day waiting period for OT, I think that just maybe you might be able to trust us with it. :)

Care to give us a second chance? It's a shame one bugger screwed it up for everyone!

One of the major reasons I want it is the ability to use the table tag for alignment, and greater freedom in message formatting.

Thanks in advance

An after thought, could the 'censorship' simply swap "<script" with "<!--" and "</script>" with "-->" which should in theory comment out the code and prevent it from running?

Too many variables, same for java. Also it wasn't me making the BG noises, I just changed the BGs themselves, seasonally and only im my threads. ;) Still uncool, I know.

Originally posted by JEEP_TJ_FREAK
Too many variables

Hence the * wild card, you can use it in the search when the search works, so I assume it could be used to block types of scripts based on a key string that's common to all of them.

Guys...

It's not going to happen & it's not JUST because of past instances of malicious script tags.
Given the differences between browser DOMs, it would be a nightmare to support.
(Continual "I don't see nuffin but a blue box" type comments/questions, etc. along with
situations where someone would forget to close a table cell... which would mess up
the page layout for an entire thread...

...not to mention the additional overhead in parsing the message bodies on-the-fly for each threadview page.

You have the ability to place links within posts & can certainly put your
marked-up content on a GeoCities page (or wherever) and link to it there.