Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> Raven's v7.0 Customized Distro
Author Message
Pride
Regular
Regular


Joined: Oct 22, 2003
Posts: 59

PostPosted: Mon May 10, 2004 4:33 pm Reply with quote

Only registered users can see links on this board! Get registered or login!

I cannot get pictures to disply in the users sigs.

I have tried both:

Code:


[img]http://www.url.com/graphic.jpg[/img]

and
Code:


<img src=http://www.url.com/graphic.jpg>

am I doing something wrong?
 
View user's profile Send private message
sixonetonoffun
Spouse Contemplates Divorce


Joined: Jan 02, 2003
Posts: 2496

PostPosted: Mon May 10, 2004 4:46 pm Reply with quote

Open your account and look for the insert and select statements and see what filtering is applied to the variable. check_html($var, nohtml) and htmlspecialchars($var) will both prevent html image tags.

The safest (In my opinion) option would be to get the KSES filter from sourceforge and use that with a an array that allowed <img. But thats just my opinion. Its a little under documented but its more simple then it appears at first.

But due to the size of the text field it is very important not to leave it unprotected.
 
View user's profile Send private message
Pride
PostPosted: Mon May 10, 2004 5:07 pm Reply with quote

I'm sorry... I guess I am more of a newbie that I thought.

I didnt understand your entire post Embarassed
 
sixonetonoffun
PostPosted: Mon May 10, 2004 5:13 pm Reply with quote

Sorry what version of phpnuke and is your account the default one that came with it? For some reason the checks on that one have changed a few times so its hard to tell you whats to be changed without actually looking.
 
Pride
PostPosted: Mon May 10, 2004 5:19 pm Reply with quote

I have Ravens 7.0 Distro.

I am the site admin

What files am I looking in for the information you need?
 
sixonetonoffun
PostPosted: Mon May 10, 2004 5:24 pm Reply with quote

Ok is that with the latest patch files applied?

Your_Account/index.php
 
Pride
PostPosted: Mon May 10, 2004 5:32 pm Reply with quote

here is a screenshot of my options for my profile:

Image
 
sixonetonoffun
PostPosted: Mon May 10, 2004 5:33 pm Reply with quote

Ok what your looking for is most likely this in Your_Account/index.php

In function saveuser

Around line 958 you'll find
$user_sig = htmlspecialchars($user_sig);
Try commenting out that
//$user_sig = htmlspecialchars($user_sig);
Then under that put
$user_sig = $user_sig;

Now this is unprotected but we'll get to that next lets see if this fixes the problem first.
 
Pride
PostPosted: Mon May 10, 2004 5:34 pm Reply with quote

sixonetonoffun wrote:
Ok is that with the latest patch files applied?

Your_Account/index.php


No, I havent patched anything...

Code:


removed


Last edited by Pride on Mon May 10, 2004 5:39 pm; edited 1 time in total 
Pride
PostPosted: Mon May 10, 2004 5:35 pm Reply with quote

ooooooooh.... sorry... I was wayy off... lemme see
 
Pride
PostPosted: Mon May 10, 2004 5:38 pm Reply with quote

YES! That worked!

Is there more to this for security purposes?
 
sixonetonoffun
PostPosted: Mon May 10, 2004 6:00 pm Reply with quote

Pm me your email please there is something in my code that won't go through the filtering here. Probably comments ? I'll send you the details to secure the variable again.
 
Pride
PostPosted: Mon May 10, 2004 6:25 pm Reply with quote

Thank you, I believe its fixed. You guys always go above and beyond... thank you!!! Very Happy
 
sixonetonoffun
PostPosted: Mon May 10, 2004 6:45 pm Reply with quote

For anyone who wants to try what we did next I'll try posting the additions without the the comments.

Yes sir now what I recomend is to download the class kses from here Only registered users can see links on this board! Get registered or login!
Backup your current files and apply these changes to the latest CS patched series files on the main page here. Upload the Patched patch files and test again.

Extract and grab the file from it kses.php
Upload kses.php to your webroot where mainfile.php lives.

Download your mainfile.php and after the lines
if (eregi("mainfile.php",$_SERVER['PHP_SELF'])) {
Header("Location: index.php");
die();
}
add these 2 arrays and 1 function

Code:


// KSES array see KSES readme to tweak settings
               $allowed_protocols = array('http', 'https', 'ftp', 'news', 'nntp', 'telnet', 'gopher', 'mailto');
               // KSES allowed tags array
               // This is a loose filtering array
               $allowed = array('pre' => array('align' => 1),
                                'strong' => array(),
                                'hr' => array(),
                                'div' => array('align' => 1),
                                'img' => array('alt' =>1, 'src' => 1, 'hspace' => 1, 'vspace' => 1, 'border' => 1),
                                'table'=> array('align' => 1, 'border' => 1, 'cell' =>1),
                                'tr' => array('align' => 1),
                                'td' => array(),
                                'ul' => array(),
                                'li' => array(),
                                'ol' => array(),
                                'a' => array('href' => 1, 'target' => 1,
                                             'title' => array('minlen' => 4, 'maxlen' => 100)),
                                'font' => array('face' => 1, 'style' =>1, 'color' => 1,
                                                'size' => array('minval' => 1, 'maxval' => 7)),
                                'p' => array('align' => 1),
                                'b' => array(),
                                'i' => array(),
                                'u' => array(),
                                'em' => array(),
                                'br' => array());         

         // End KSES Options
function my_stripslashes( $text )
        {
               if( get_magic_quotes_gpc() == 1 )
               {
                return( stripslashes( $text ));
               }
               
                return( $text );
        }


Now in Your_Account index.php at the top
after:
$userpage = 1;
add:
include("kses.php");

Then change the line
$user_sig = $user_sig; or $user_sig = htmlspecialchars($user_sig);
to:
$user_sig = kses(my_stripslashes($user_sig,$allowed));

That should now filter out all but the html tags allowed in the array above. (Note most likely that includes bbcode but I've never tested that. (There is room for improvement in the array its just what I had real quick to post).

If you really need bbcode or just think this is a pain in the rear and want to use something simpler just shout back. I think this is a very safe smart way to protect large text fields like this one. (It was originally created for a phpnuke clone for just this sort of thing).
 
southern
Client


Joined: Jan 29, 2004
Posts: 591
Location: Texas

PostPosted: Mon May 10, 2004 9:55 pm Reply with quote

This looks good, sixone. I always like to try things I haven't before so I'll give it a whirl. If it stops XSS and DOS it's worth it. Congrats on your promotion to admin. Smile

_________________
Computer Science is no more about computers than astronomy is about telescopes.
- E. W. Dijkstra 
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number
sixonetonoffun
PostPosted: Mon May 10, 2004 10:11 pm Reply with quote

Thanks but this week it will be most like slave I think wink* I'm sure to get demoted after I confuse a few more people.

I just thought it really fit the nitch. If the check_html() has some more options someone should clue me in but I don't think its that flexable. In an ideal world I'd like to see this used for all the large text areas. Its really well tested (Geeklog uses the OOP class I think they more or less contributed it to the project?)

I really think it approaches the security of bbcode and its as flexable as the array of allowed tags and attributes. I haven' t followed its mail groups or anything but I'd imagine there are some nicer examples floating around now.
 
southern
PostPosted: Mon May 10, 2004 10:32 pm Reply with quote

Ah I woulda been demoted after 15 minutes. Smile
No way you could confuse the peeps more'n this ol' southern wolf haha
Anyway I understood your directions clear as day. First I need to put on chatserv's 7.1 patches, if I haven't already then the kses stuff. I don't want ftp in the array though so I'll remove it, and telnet.
 
Pride
PostPosted: Wed May 12, 2004 4:04 pm Reply with quote

I am back again... *waits for the cringe*

While it seems that everything we did to get the sigs to work on my site has worked, there seems to be a little problem.

Only I (assuming all admins) can input the signature for the users and have it work.

If I put in the standard <img src=http://www.url.com/picture1.gif> it works fine in everyone's sigs.

If they put in the exact same line, it doesnt work. The line is still there, but nothing shows up.

any thoughts?
 
sixonetonoffun
PostPosted: Wed May 12, 2004 4:29 pm Reply with quote

I spose we missed a htmlspecialchars() someplace. Does it show in there Your_Account and not in the profile and forums or?
 
Pride
PostPosted: Wed May 12, 2004 4:46 pm Reply with quote

hard for me to tell, from what I see when I go into their profile after they "complain" about it, the sig box is empty.
 
sixonetonoffun
PostPosted: Wed May 12, 2004 4:59 pm Reply with quote

This should get by the filter we installed (I've tested that for sure)
<IMG alt="" hspace="0" src="http://www.netflake.com/images/verification_seal.gif" border="0">

But at your site when I put the in my profile it doesn't show when I preview a post so I tried it in the post too because I was curious. It doesn't work there either so I figure there is some other place htmlspecialchars() is filtering both. Because html is enabled on the site and in the post I tested in.
 
Pride
PostPosted: Wed May 12, 2004 5:16 pm Reply with quote

as far as I can tell, the forums on FITES doesnt allow html code... not sure why tho.

also, make sure you have signatures turned on in your profile on fites...

hmmmm
 
sixonetonoffun
PostPosted: Wed May 12, 2004 5:19 pm Reply with quote

Yes I did all that but it does say html enabled Uhg!
 
Pride
PostPosted: Wed May 12, 2004 5:31 pm Reply with quote

I know....

and this is Raven's Release (hides behind corner) haha
 
sixonetonoffun
PostPosted: Wed May 12, 2004 5:33 pm Reply with quote

Heres a funny I just checked on a test site and its the same crud.
But I could create a new forum and insert that image in the description lol!

Funny funny!
 
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> Raven's v7.0 Customized Distro

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©