Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> General/Other Stuff
Author Message
jjh221
Worker
Worker


Joined: Dec 05, 2006
Posts: 178

PostPosted: Tue Dec 12, 2006 3:02 am Reply with quote

Hey could someone explain to me, what nohtml does.
Only registered users can see links on this board! Get registered or login!

My guess would be it does, does not allow html in say subject fieds or titles of pages. Stuff like that?

If I wanted to allow html in those fields (do you think its a good idea?) how would I do that? Im thinking it would be nice to be able to set some subject titles bold or even different font size or colors.

thanks,

j

still trying to learn a bit more php

edit:
ok after reading that a few more times. I would have to create an array in the config.php file using $AllowableHTML. Then I would change all nohtml to check_html right? that is in the files i wish to change and scripts i would like to allow html in.

They are saying that it is a security issue. What codes, if you can tell me should i not allow? would basice codes like bold, font, color and stuff like that effect me any?
 
View user's profile Send private message
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Tue Dec 12, 2006 5:27 am Reply with quote

Close... check_html is a mainfile function used in many places through PHP-Nuke. One of the arguments / parameters determine which HTML tags are valid. If you use "nohtml" all HTML tags will be stripped from the text you are checking.

You can determine which tags are valid by modifying $allowed_html in your config.php. If you allow certain tags or certain extensions for certain tags, you might open up security holes.

For nukeWYSIWYG, we changed the check_html function to accept additional (safe) HTML tags that are commonly used in WYSIWYG mode. We added the kses HTML filter to improve Nuke's ability to verify safe HTML and to provide multiple levels of security (e.g. user vs. admin). You can use the check_html enhancements in nukeWYSIWYG even if you aren't using the WYSIWYG editor.

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
jjh221
PostPosted: Tue Dec 12, 2006 10:58 pm Reply with quote

ok, im using WYSIWYG good stuff. Although two of the images are not working. They are there, and all same permisions and uploaded all the same. :shrugs:

The thing i was looking for is my site seems very monotoned, which i like! but... it would be nice to have certain subject titles stand out. Ill look a bit more into the code.

WYSIWYG is pretty pimp though.

Is it possible to only allow admin rights to full html code? That way if i was to say, submit a story or news, instead of basic html i could have full rights to post a story I created in dreamweaver. I cant code really so i copy and paste hehe.

edit:
thanks
 
kguske
PostPosted: Tue Dec 12, 2006 11:40 pm Reply with quote

When you use the admin function to create a story (or edit a submitted story), you have more abilities than a regular user. It still uses the check_html function, though.
 
jjh221
PostPosted: Wed Dec 13, 2006 12:12 am Reply with quote

k ill have to learn WYSIWYG, dreamweaver is just easy for me, kinda just copy paste too.

thanks,

j

oh do you know why some images are not showing up? only two of them

Insert/Remove Bulleted List and Insert Horizontal Line
 
kguske
PostPosted: Wed Dec 13, 2006 3:29 pm Reply with quote

You can paste into WYSIWYG from dreamweaver, I think.

Not sure why the bulleted list and HR tags aren't being displayed. Can you see them when you view the source? If so, it might be the CSS.
 
jjh221
PostPosted: Wed Dec 13, 2006 6:47 pm Reply with quote

I tried to copy and paste, when i do it doesnt save and takes me to like home page or something.

Source you mine the picture its self? yea i can see the picture in ftp, oh wait im a tard, ima try browser. on sec... k yea i can see in broswer. Hmmm that is if im looking for the right one. Im looking in html\includes\FCKeditor\editor\skins\default\toolbar\...

For the bulleted list im looking at bulletedlist.gif but i cant seem to find the horzontal line one. So maybe i just dont have them... Ima go change my database table name right now and later on tonight ill look more into these images.

thanks im a tard hehe

j

oh if you know the names of the images could you tell me, i can check easier that way or if there is another way. Cant right click properties on those images
 
southern
Client


Joined: Jan 29, 2004
Posts: 591
Location: Texas

PostPosted: Thu Feb 01, 2007 5:20 pm Reply with quote

kguske wrote:
When you use the admin function to create a story (or edit a submitted story), you have more abilities than a regular user. It still uses the check_html function, though.


Well, that's my problem. I can't create or edit a story to include images. I could a week ago can't now. Confused

_________________
Computer Science is no more about computers than astronomy is about telescopes.
- E. W. Dijkstra 
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number
kguske
PostPosted: Thu Feb 01, 2007 7:03 pm Reply with quote

What changed? A file, PHP setting, the HTML you use to post an image?
 
southern
PostPosted: Thu Feb 01, 2007 7:33 pm Reply with quote

I upgraded to NukeSentinel 2.5.05 is all I can figure has changed. Now when I try to use an image in a story with the usual < img src tag and hit Preview the entire tag is stripped away when the page comes up. Never seen this happen before.
 
kguske
PostPosted: Thu Feb 01, 2007 9:36 pm Reply with quote

Very strange. Wasn't aware of any changes to NukeSentinel that might cause this. Did you change your config.php or anything else?
 
southern
PostPosted: Fri Feb 02, 2007 10:37 am Reply with quote

Not config.php but I may not have put in the right codes in mainfile.php or header.php for NS 2.5.05. Has any code changed in the upgrade that might affect an admin's ability to post images in stories?
 
southern
PostPosted: Fri Feb 02, 2007 2:00 pm Reply with quote

The mainfile.php code for NS™ 25.05.5 could be the prob. Every time I try to comment out the code
Code:


[ FIND 7.0-7.5 ]------------------------------------------
#
if (!defined('ADMIN_FILE') && !file_exists('includes/nukesentinel.php')) {
  foreach ($_GET as $sec_key => $secvalue) {
    if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*onmouseover*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*body*\"?[^>]*>", $secvalue)) ||
   (eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
   (eregi("\"", $secvalue)) ||
   (eregi("forum_admin", $sec_key)) ||
   (eregi("inside_mod", $sec_key))) {
        die ($htmltags);
    }
}

foreach ($_POST as $secvalue) {
    if ((eregi("<[^>]*onmouseover*\"?[^>]*>", $secvalue)) || (eregi("<[^>]script*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*body*\"?[^>]*>", $secvalue)) || (eregi("<[^>]style*\"?[^>]*>", $secvalue))) {
      die ($htmltags);
    }
  }
}

#
#

So it looks like
Code:


[ COMMENT OUT ]------------------------------------------
#
//if (!defined('ADMIN_FILE') && !file_exists('includes/nukesentinel.php')) {
//  foreach ($_GET as $sec_key => $secvalue) {
//    if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
//   (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
//   (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
//   (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
//   (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
//   (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
//   (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
//   (eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
//   (eregi("<[^>]*onmouseover*\"?[^>]*>", $secvalue)) ||
//   (eregi("<[^>]*body*\"?[^>]*>", $secvalue)) ||
//   (eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
//   (eregi("\"", $secvalue)) ||
//   (eregi("forum_admin", $sec_key)) ||
//   (eregi("inside_mod", $sec_key))) {
//        die ($htmltags);
//    }
//}

//foreach ($_POST as $secvalue) {
//    if ((eregi("<[^>]*onmouseover*\"?[^>]*>", $secvalue)) || (eregi("<[^>]script*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*body*\"?[^>]*>", $secvalue)) || (eregi("<[^>]style*\"?[^>]*>", $secvalue))) {
//      die ($htmltags);
//    }
//  }
//}

like we're told to do in Edits for core files/mainfile.txt I get a blank page and have to restore my backup. This obviously has something to do with an admin's ability to post images so maybe I'm not putting it in my mainfile right.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> General/Other Stuff

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©