Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> RN v2.20.00 - Feedback
Author Message
Eduardo
Worker
Worker


Joined: Jul 20, 2004
Posts: 189
Location: Italy

PostPosted: Mon Nov 05, 2007 4:09 am Reply with quote

For giving the maximum compatibility to your system, I advice you to use, in the next release, the following tags:

Code:
$AllowableHTML = array(

   'a' => array('href' => 1, 'target' => 1, 'title' => array('minlen' => 4, 'maxlen' => 120)),
   'b' => array(),
   'blockquote' => array(),
   'br' => array(),
   'center' => array(),
   'div' => array('align' => 1),
   'em' => array(),
   'embed' => array('src' => 1, 'width' => 1, 'height' => 1, 'wmode' => 1, 'type' => 1),
   'font' => array('face' => 1, 'style' => 1, 'color' => 1, 'size' => array('minval' => 1, 'maxval' => 7)),
   'h1'=>array(),
   'h2'=>array(),
   'h3'=>array(),
   'h4'=>array(),
   'h5'=>array(),
   'h6'=>array(),
   'hr' => array(),
   'i' => array(),
   'img' => array('alt' => 1, 'src' => 1, 'hspace' => 1, 'vspace' => 1, 'width' => 1, 'height' => 1, 'border' => 1, 'align' => 1),
   'li' => array(),
   'object' => array('width' => 1, 'height' => 1),
   'ol' => array(),
   'p' => array('align' => 1),
   'param' => array('name' => 1, 'value' => 1),
   'pre' => array('align' => 1),
   'span' =>array('class' => 1, 'style' => array('font-family' => 1, 'color' => 1)),
   'strong' => array(),
   'strike'=>array(),
   'sub'=>array(),
   'sup'=>array(),
   'table' => array('align' => 1, 'border' => 1, 'cell' => 1, 'width' => 1, 'cellspacing' => 1, 'cellpadding' => 1),
   'td' => array('align' => 1, 'width' => 1, 'valign' => 1, 'height' => 1, 'rowspan' => 1, 'colspan' => 1, 'bgcolor' =>1 ),
   'tr' => array('align' => 1),
   'tt'=>array(),
   'u' => array(),
   'ul' => array(),
);


They allow me to have the best visibility into my web site.

I installed the version RavenNuke_v2.10.01 but with your config my pages, with midi files embedded, were dumb.

Please visit some page at the following link:
Only registered users can see links on this board! Get registered or login!

Best regards.
 
View user's profile Send private message
fkelly
Former Moderator in Good Standing


Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Mon Nov 05, 2007 7:40 am Reply with quote

Thanks for the suggestion.

The allowablehtml array is meant to be visible and configurable by individual web masters. There is not necessarily one size fits all. It would be helpful if you could post what changes you made and why ... that would be more useful than just posting an alternative.
 
View user's profile Send private message Visit poster's website
Gremmie
Former Moderator in Good Standing


Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Mon Nov 05, 2007 7:56 am Reply with quote

The config file is exactly that, a file for you to tailor to your site and your site's needs.

Having object and param in there are kind of dangerous as you may open yourself up to flash or Active-X based cross site scripting. You don't want just anyone submitting object tags. (Doesn't sentinel already block these?)

Also, remember that as an admin, the allowable HTML checks are usually disabled. I tend to post news items, etc, that need YouTube videos or what have you as an admin so I can bypass that check and still get the content I want on the site.

_________________
Only registered users can see links on this board! Get registered or login! - An Event Calendar for PHP-Nuke
Only registered users can see links on this board! Get registered or login! - A Google Maps Nuke Module 
View user's profile Send private message
Eduardo
PostPosted: Mon Nov 05, 2007 8:21 am Reply with quote

Are you able to test the vulnerability of my portal?
Only registered users can see links on this board! Get registered or login!

Many thanks in advance for your collaboration.
 
Gremmie
PostPosted: Mon Nov 05, 2007 11:36 am Reply with quote

No, sorry, I don't have the time or expertise to test your site's defenses. You should know that many PHP HTML filtering scripts automatically have object, embed, and param on their "black list" of disallowed tags. And these tags are mentioned in PHP security books as ones to avoid.

My advice is: if you trust your users then by all means allow those tags. But if just anyone can join your site I would not allow them if it was my site. As an admin, however, you can add content with those tags (assuming the module was coded correctly).
 
Eduardo
PostPosted: Mon Nov 05, 2007 1:35 pm Reply with quote

Please tell me if it is possible the midi performance in the phpnuke system without the tag embed.
 
roblom
New Member
New Member


Joined: Oct 18, 2007
Posts: 4

PostPosted: Wed Dec 12, 2007 2:49 pm Reply with quote

No offence but the midi files on your site are the most ittitated bleeps i've ever heard. It make me close the window because i couldn't find a 'off' button.
 
View user's profile Send private message
Eduardo
PostPosted: Thu Dec 13, 2007 2:10 am Reply with quote

The MIDI is an international standard. It is not mine.

Need you make a set up of your browser, plug-in and OS.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> RN v2.20.00 - Feedback

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©