Scripting Blocker

Posted: Mon Feb 02, 2009 2:40 pm

Sorry if this is a reprise of an old theme but ...

In my other life besides working on Ravennuke, I run a bicycle club web site. I am constantly trying to encourage people to submit news items, calendar postings and the like. I don't want to always have them sending me emails and then having to go put the stuff in myself. That's what we have submit news and calendar items for. That's why we have the great wysiwyg editor.

There is a big fly in that ointment. My users use Word or perhaps Open Office writer. They compose everything in there. When they come over to the site and see paste from Word as an option, well they expect to be able to block the stuff from their composition and paste it onto our site. So they go to say, submit news and do the paste and it looks great. They they do a preview and bango they are banned from the site. The Sentinel scripting blocker doesn't like what they are trying to post.

I've had this happen twice in the last month with users who have really important local biking roles. I'd love them to be able to post. It's not an easy "sell" and when they see the big "you are banned" screen they run screaming the other way. I just replicated this. I created a very simple document in Open Office writer. All it had was a simple table with 4 columns and two rows. I typed "now is the time for all good men ... " into a few of the cells. Created a non-admin user and signed off as admin and had the non-admin user submit the thing. Or try to. Bango. Banned. Cpaneled and deleted the IP from htaccess. Phpmyadmin and deleted the IP from banned_ips.

Admittedly NS is highly configurable. First I tried having the scripting blocker just email the admin. I was thinking maybe in the background, as admin, I could get a warning about any suspicious posts while the user would still be able to post. That doesn't work, the user still sees a banned screen even though he/she hasn't been written to htaccess or the banned ip's table. So the only way around this is to turn off the scripting blocker.

And after taking a deep breath and realizing that I am exposing myself potentially to hackers, that's what I'm going to do. You can't be practically begging people to give you content and then banning them as soon as they take an intuitive and invited approach to doing so. It just doesn't work.

Posted: Mon Feb 02, 2009 7:45 pm

I would say use Notepad Smile

Yes I know, losing formatting.. blah blah. But in all fairness, I expect Word (and maybe Open Office) to rely on their own formatted code, which is well... terrible. Even Dreamweaver has their own HTML routines - "clean up M$ spagetti code"

Not any solution here from this post, I admit it. But I don't know necessarily what to do except not accept HTML in the first place? That's the route phpBB3 has taken... go into BBCode only. Which probably will be less accessible to Word and other feature-full word processors.

Worker Joined: Aug 26, 2007 Posts: 236

It don't seem to happen so often though and those that make this once will probably not do that again. Maybe you could hack Submit News and to add text there that warn the copy - paste from Word may result in banning from the site?

Posted: Sun Feb 08, 2009 8:47 am

fkelly, I agree with you. I am finding that this is far more prevalent in the end-user community than you think. I was talking with a non-profit recently about their current issues with a CMS they were using, and guess what? All their teachers have Microsoft Word installed on their classroom computers and that is what they are comfortable with writing their communications in. But, they had to restrict the posting to the CMS to one administrator because of having to clean-up all the garbage Word puts in there. That CMS is also using FCKEditor and I was surprised to learn that the Paste-From-Word doesn't clean it up.

What I really wish is that a plugin for FCKEditor could be found or written that will do a better job of stripping out the bad and keeping the good.

Posted: Sun Feb 08, 2009 9:29 am

M. thank you. Yes, using Word is prevalent in the user community and there is nothing that we as admins are going to do to change that. And unless you are keeping a close eye on the emails you get when someone is banned you won't even notice that users are getting clobbered by NS. It can be really demotivating. A couple of people who got the banned message on my site have basically run for the woods ... even after I apologize for the false positive and make them admins so they won't get it they won't come back and post anything else. I've turned off the scripting blocker and I'll take my chances with that.

It might be worth mentioning that there is a way to turn off Paste from Word in the fckconfig.js file. I had done that at one point but it gotten overwritten in one of the version upgrades. The effect of doing that is that all Word stuff gets pasted as plain text. That's an option but then you always have to remember not to overwrite fckconfig.js.