Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm) Enhancement Requests
Author Message
bry2k
New Member
New Member



Joined: Dec 07, 2004
Posts: 12

PostPosted: Thu Dec 09, 2004 12:53 am Reply with quote

Hi - I'm fairly new to phpnuke and Nuke Sentinel, so perhaps there is a known workaround, but here's my request.

I find it very limiting that the HTML tag ban in phpnuke applies to all users including the superuser. As the primary site admin and content creator, I need to construct posts with tables, images, styles, etc and post them as news articles. Now with Nuke Sentinel installed, I thought it might be really handy if Sentinel could provide for some way that only superusers, or only specific trusted users (controlled by superuser) could post any HTML/php/script text they want in their posts. Perhaps its as simple as enclosing the whole tag restriction code in config.php to an IF statement, but it would be cool if it could be managed with nuke sentinel. As site superuser, I need to be able to construct a post without any restrictions, while still apply very strict restrictions to guest and regular users.

What do y'all think? Is there already a workaround for this that someone has come up with? And wouldn't be cool if you could manage this with Sentinel?

Feedback appreciated! Thanks!

-Bry
 
View user's profile Send private message
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17088

PostPosted: Thu Dec 09, 2004 1:27 am Reply with quote

Actually it's not NukeSentinel stopping you, but phpnuke. Look in mainfile.php and you will see code similar to this
Code:
foreach ($_GET as $secvalue) {

    if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
   (eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
   (eregi("\"", $secvalue))) {
   die ("<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br><br>[ <a href=\"javascript:history.go(-1)\"><b>Go Back</b></a> ]");
    }
}

foreach ($_POST as $secvalue) {
    if ((eregi("<[^>]script*\"?[^>]*>", $secvalue)) ||   (eregi("<[^>]style*\"?[^>]*>", $secvalue))) {
        die ("<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br><br>[ <a href=\"javascript:history.go(-1)\"><b>Go Back</b></a> ]");
    }
}

Modify it to read this and see if that helps
Code:
if (!is_admin($admin)) {

foreach ($_GET as $secvalue) {
    if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
   (eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
   (eregi("\"", $secvalue))) {
   die ("<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br><br>[ <a href=\"javascript:history.go(-1)\"><b>Go Back</b></a> ]");
    }
}

foreach ($_POST as $secvalue) {
    if ((eregi("<[^>]script*\"?[^>]*>", $secvalue)) ||   (eregi("<[^>]style*\"?[^>]*>", $secvalue))) {
        die ("<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br><br>[ <a href=\"javascript:history.go(-1)\"><b>Go Back</b></a> ]");
    }
}
}


Last edited by Raven on Thu Dec 09, 2004 9:09 am; edited 1 time in total 
View user's profile Send private message
blith
Client



Joined: Jul 18, 2003
Posts: 977

PostPosted: Thu Dec 09, 2004 9:01 am Reply with quote

Raven I received a parse error when I did this... I did a direct copy and paste.
 
View user's profile Send private message Visit poster's website
Raven







PostPosted: Thu Dec 09, 2004 9:08 am Reply with quote

My bad - sorry! change
Code:
if (!is_admin($admin) {
to
Code:
if (!is_admin($admin)) {
 
blith







PostPosted: Thu Dec 09, 2004 9:16 am Reply with quote

That did it. Thank you.
 
bry2k







PostPosted: Thu Dec 09, 2004 9:46 am Reply with quote

Raven, does "is_admin" only resolve to true if the user is superuser, or is it true if the user is any admin user? Is there a way to differentiate? ie - case: superuser, case: admin, case: user

Also, is that chunk of code the only function in phpNuke where the code is parsed to check for restricted HTML tags, or does that 'if' statement need to be applied in any other places as well?

Thanks!

-Bry
 
Raven







PostPosted: Thu Dec 09, 2004 9:49 am Reply with quote

is_admin($admin) will determine if the value in $admin is an admin - period.

No other code should be needed.
 
montego
Site Admin



Joined: Aug 29, 2004
Posts: 9457
Location: Arizona

PostPosted: Mon Dec 13, 2004 10:35 pm Reply with quote

I am confused. I added the IF condition around the foreach and tried to create a NEW Story using the Admin link as such and get the Nuke Sentinel "Ban" message. I thought bry2k was looking to "could post any HTML/php/script text they want in their posts". I am getting banned trying to do this. (Luckily I have "protect admin" turned on.)

Am I missing the original intent of his original post? I would sure love the feature he is recommending. I, too, believe that the superuser/admin should be allowed to any and all HTML at his/her disposal to jazz-up their messages, News, forums, etc.
 
View user's profile Send private message Visit poster's website
TheosEleos
Life Cycles Becoming CPU Cycles



Joined: Sep 18, 2003
Posts: 960
Location: Missouri

PostPosted: Tue Dec 21, 2004 10:14 pm Reply with quote

I get this error when I try this fix on my 7.5 site.

Call to a member function on a non-object in /home/blabla/public_html/blablabla/mainfile.php on line 228

nuke 7.5 with newest chatserv patch.

_________________
http://jamesdibben.com 
View user's profile Send private message Visit poster's website AIM Address ICQ Number
TheosEleos







PostPosted: Thu Dec 23, 2004 6:06 pm Reply with quote

help!
 
Raven







PostPosted: Thu Dec 23, 2004 6:34 pm Reply with quote

You must have some kind of a typo because it's the exact code that I use.
 
TheosEleos







PostPosted: Thu Dec 23, 2004 6:49 pm Reply with quote

I have this code in mainfile.php
Code:


foreach ($_GET as $secvalue) {
    if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*onmouseover*\"?[^>]*>", $secvalue)) ||
   (eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
   (eregi("\"", $secvalue)) ||
   (eregi("forum_admin", $var_name)) ||
   (eregi("inside_mod", $var_name))) {
   die ("<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br><br>[ <a href=\"javascript:history.go(-1)\"><b>Go Back</b></a> ]");
    }
}

foreach ($_POST as $secvalue) {
    if ((eregi("<[^>]*onmouseover*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*script*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*style*\"?[^>]*>", $secvalue))) {
        die ("<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br><br>[ <a href=\"javascript:history.go(-1)\"><b>Go Back</b></a> ]");
    }
}


I replaced it with your code above and get that error.
 
Raven







PostPosted: Thu Dec 23, 2004 7:31 pm Reply with quote

Did you bother to put a closing brace at the end?

if (is_admin($admin)) {
// blah blah
}

ROTFL
 
TheosEleos







PostPosted: Thu Dec 23, 2004 8:33 pm Reply with quote

All I did was copy and paste from your above.

I guess thre was an extra space or something.

I don't even understand how braces work, lol.

I'm such a newbie!

I did get it fixed, so thanks.
 
TheosEleos







PostPosted: Thu Dec 23, 2004 11:21 pm Reply with quote

I still have it wrong. I get that error when logged in as admin.

Neutral
 
Raven







PostPosted: Fri Dec 24, 2004 12:09 am Reply with quote

It's actually
Code:
if (!is_admin($admin)) {

   // blah blah
}
 
Nukeum66
Life Cycles Becoming CPU Cycles



Joined: Jul 30, 2003
Posts: 551
Location: Neurotic, State, USA

PostPosted: Fri Dec 24, 2004 12:11 am Reply with quote

look at the end of your code and make sure it has 3 close tags:
Code:
}

}
}


and not 2:
Code:


}
}

_________________
Scott Johnson MIS Ubuntu/Linux 11.10 
View user's profile Send private message Visit poster's website
TheosEleos







PostPosted: Fri Dec 24, 2004 12:25 am Reply with quote

I don't understand why just a simple copy and paste of what Raven has posted up there won't work on my 7.5. It worked just fine on my 7.4.

Ah well, I'm going to bed.
 
lochball
New Member
New Member



Joined: Dec 03, 2004
Posts: 17

PostPosted: Fri Dec 24, 2004 4:18 pm Reply with quote

I introduced it in my system (7.5, 2.1.1) and it works well. Before that I simply tried to fool out the system by using some sort of html entities - but that's only patch work...

Greetings.

_________________
Unihockey is much more than only a new sporting activity... 
View user's profile Send private message Visit poster's website
TheosEleos







PostPosted: Sat Dec 25, 2004 4:09 pm Reply with quote

I tried this before installing Sentinel. Does Sentinel have to be installed for this code change to work?
 
Raven







PostPosted: Sat Dec 25, 2004 4:11 pm Reply with quote

No. It has nothing to do with NukeSentinel. It's simply a "wrapper" around that code.
 
TheosEleos







PostPosted: Sat Dec 25, 2004 4:44 pm Reply with quote

Well, then I suck at this and should have my moderator status revoked! ROTFL
 
Raven







PostPosted: Sat Dec 25, 2004 6:02 pm Reply with quote

Is $admin renamed in 7.5?
 
TheosEleos







PostPosted: Sun Dec 26, 2004 9:43 am Reply with quote

I didn't change anything from the default install.
 
manunkind
Client



Joined: Apr 26, 2004
Posts: 368
Location: Albuquerque, NM

PostPosted: Mon Dec 27, 2004 10:18 am Reply with quote

Thanks Raven! This has been bugging me for awhile now. Didn't realize how simple the fix was.
 
View user's profile Send private message Visit poster's website
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm) Enhancement Requests

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©