Beta Forums
[MyBB] About userfields - Printable Version

+- Beta Forums (
+-- Forum: MyBB Help Forum (/forum-1.html)
+--- Forum: MyBB Help (/forum-2.html)
+--- Thread: [MyBB] About userfields (/thread-246.html)

[MyBB] About userfields - RateU - 10-30-2009 10:21 PM

  • MyBB Version: 1.4.9
  • PHP Version:
  • MySQL(i) Version:
  • Forumlink: localhost
  • Screenshot:
  • Actions that lead to this issue:
  • Other Usefull Info:

I want to ask about Custom Profile Fields.

I have a default custom profile fields. It is fid1 (Location) field. And I use {$userfields['fid1']} to display this field value.

I fill a simple javascript code in the field via usercp:

<script type="text/javascript">
document.write("Example Scripts");

And the result is: Example Script.

So, I think {$userfields['fidx']} will render the script that filled in the custom user fields. It doesn't happen with {$profilefields}.

So, is it secure if we use {$userfields['fidx']} code in member profile page?

RE: [MyBB] About userfields - LeX- - 10-30-2009 10:32 PM

Don't know if script-tags are allowed in Custom Profile Fields ( can cause troubles? if someone fills in a bad script ), could be they're filtered out by MyBB, but its secure to use {$userfields['fidX']} in the memberprofile.

RE: [MyBB] About userfields - RateU - 10-30-2009 10:39 PM

(10-30-2009 10:32 PM)LeX- Wrote:  but its secure to use {$userfields['fidX']} in the memberprofile.

Thank you very much, LeX-. I'm very happy to hear that. Because when i try to use the other tag in the field, img tag, {$userfields['fidx']} show the images. The {$profilefields} will not render any script in the fields. This makes me worry if a member put a bad script there. But now, I don't worry anymore.