Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> FCKeditor/WYSIWYG Issues
Author Message
rickleigh
Worker
Worker


Joined: Jan 06, 2009
Posts: 183

PostPosted: Tue Oct 20, 2009 8:32 am Reply with quote

Well as I continue to test the editor, I now find that when I try to save a script in the Advertising Module it doesn't save to the DB. I turned on error logging and its not giving any errors.

My host said that they have reverted back to the old PHP ver. So it shouldn't be an issue anymore. They are also saying that there are to many third party systems out there and they don't support them. Basically saying that there done working on these issues with the FCKeditor Evil or Very Mad

Upsets me because I had no issues until they changed things on their server.

So far I have only found that the FCKeditor has been effected. Would anyone that understands what this feature needs from the host be willing to call my host and provide them with the info thy need/was in place before to get this working?

I don't now what else to do besides change host which I don't have the money for at this time. Evil or Very Mad

_________________
Thanks,
Rick Leigh

Last edited by rickleigh on Tue Oct 20, 2009 11:46 am; edited 1 time in total 
View user's profile Send private message
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Tue Oct 20, 2009 9:40 am Reply with quote

This isn't an issue with FCKeditor, but with the Advertising module. It needs to allow administrators to save javascript.

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
rickleigh
PostPosted: Tue Oct 20, 2009 9:54 am Reply with quote

kguske wrote:
This isn't an issue with FCKeditor, but with the Advertising module. It needs to allow administrators to save javascript.


How can this be fix and how would it have changed from it working before?

Thanks,
Rick
 
kguske
PostPosted: Tue Oct 20, 2009 10:36 am Reply with quote

I don't believe the Advertising module used the visual editor before, and it probably didn't use the HTML checking that goes with it. We can probably change it to not do HTML checking on the admin function (i.e. creating an ad). fkelly worked on that and may be able to shed some light on it.
 
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6792
Location: Ha Noi, Viet Nam

PostPosted: Tue Oct 20, 2009 10:39 am Reply with quote

The Advertising module has never allowed java script to be saved as it is usually stripped for security purposes. If you really, really must have it, the only way around it at the moment is to create your ad with some dummy code, save it, then change it in the database directly.
 
View user's profile Send private message Send e-mail
kguske
PostPosted: Tue Oct 20, 2009 10:44 am Reply with quote

It did use the editor before, but now has this statement in modules/Advertising/admin/index.php:
Code:
   $ad_code = mysql_real_escape_string(check_html($ad_code, ''));

That code is in 2 places (adding, editing), and appears to be the reason you can't do what you need (i.e., if you comment out those lines, it might work).
 
rickleigh
PostPosted: Tue Oct 20, 2009 11:23 am Reply with quote

I just noticed that on my RN2.3 install (Live Site) uses a plain texted editor and on the RN2.4 install (Test Site) is using the FCKeditor. Was this an update for the RN2.4 ver.?

The 2.4 also adds another step before getting to the editor vers. the 2.3 goes straight to it. This is not a big deal just trying to explain how my site is setup incase its different from others. Both vers. are standard installs with no mods done to this module.

kguske wrote:

That code is in 2 places (adding, editing), and appears to be the reason you can't do what you need (i.e., if you comment out those lines, it might work).

I was only able to find this code in one area in the index.php from the RN2.4 install.

Guardian2003 wrote:

The Advertising module has never allowed java script to be saved as it is usually stripped for security purposes. If you really, really must have it, the only way around it at the moment is to create your ad with some dummy code, save it, then change it in the database directly.

I did this already to get the ads working for now. Wink I use the Google ads on my site which is coded with Java script. So I would like to see this working in the Advertising area only if possible.
 
rickleigh
PostPosted: Tue Oct 20, 2009 11:33 am Reply with quote

kguske wrote:
It did use the editor before, but now has this statement in modules/Advertising/admin/index.php:
Code:
   $ad_code = mysql_real_escape_string(check_html($ad_code, ''));

That code is in 2 places (adding, editing), and appears to be the reason you can't do what you need (i.e., if you comment out those lines, it might work).


I did end up finding both lines of code. After commenting this out, it allowed me to save the code to the database.

So.. Is this safe to keep like this?
 
Guardian2003
PostPosted: Tue Oct 20, 2009 11:34 am Reply with quote

rickleigh, my apologies for leading you astray, kguske is right, the Advertising module did allow JS before. I was misleading myself as I was using a custom Advertising module until I migrated to RN2.4
The code that kgusle pointed to is in lines 570 and 826 of the modules index file.

Yes FCKeditor was added in RN2.4 to make life a little easier for administrators but please keep in mind that a site can have a number of administrators, some of whom may not be aware of the dangers of javascript if used incorrectly, which is why it is stripped out.
 
kguske
PostPosted: Tue Oct 20, 2009 11:37 am Reply with quote

OK, the 2 lines to comment out are:
Code:


   $ad_code = mysql_real_escape_string(check_html($ad_code , ''));
   $ad_code = mysql_real_escape_string(check_html($ad_code, ''));
 
rickleigh
PostPosted: Tue Oct 20, 2009 11:41 am Reply with quote

Guardian2003 wrote:
rickleigh, my apologies for leading you astray, kguske is right, the Advertising module did allow JS before. I was misleading myself as I was using a custom Advertising module until I migrated to RN2.4
The code that kgusle pointed to is in lines 570 and 826 of the modules index file.

Yes FCKeditor was added in RN2.4 to make life a little easier for administrators but please keep in mind that a site can have a number of administrators, some of whom may not be aware of the dangers of javascript if used incorrectly, which is why it is stripped out.


Just dont let it happen again Exclamation J/K
I understand the risk and right now am a one man how for admins on my site Smile But, If needed I will un-comment out the code and edit the DB for Javascript if other admins are needed Wink
 
rickleigh
PostPosted: Tue Oct 20, 2009 11:44 am Reply with quote

kguske wrote:
OK, the 2 lines to comment out are:
Code:


   $ad_code = mysql_real_escape_string(check_html($ad_code , ''));
   $ad_code = mysql_real_escape_string(check_html($ad_code, ''));


We must have been typing at the same time. I got them now.

Thanks Guys. Hope I don't find anything else for awhile. My hair is turning grey as I am trying to get my new site live (AKA Testsite) and keep finding these little issues Laughing
 
Palbin
Site Admin


Joined: Mar 30, 2006
Posts: 2583
Location: Pittsburgh, Pennsylvania

PostPosted: Tue Oct 20, 2009 12:20 pm Reply with quote

There are other modules that allow admins to post what ever they want. So this would not be anymore of a security risk than those.

_________________
"Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it." — Brian W. Kernighan. 
View user's profile Send private message
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Sat Oct 24, 2009 8:37 am Reply with quote

And now that we have added CSRF protection in most of the admin areas (plus a few more) it makes this even less of a security risk as "if you cannot trust your admins, then don't make them an admin" (my motto because I hate it when I, as an admin, cannot do whatever it is that I need to do to run my site effectively - and having to edit using phpMyAdmin is not my definition of "effectively").

We'll have to look at this again.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
rickleigh
PostPosted: Sat Oct 24, 2009 9:47 am Reply with quote

Here is another issue that I beleave has something to do with these changes as well: Only registered users can see links on this board! Get registered or login!
 
Palbin
PostPosted: Sat Oct 24, 2009 11:43 pm Reply with quote

You should be doing this in my opinion and commenting out the lines.

Code:


$ad_code = mysql_real_escape_string(check_html($ad_code, 'nocheck'));
 
fkelly
Former Moderator in Good Standing


Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Mon Oct 26, 2009 2:22 pm Reply with quote

First thanks to my fellow team members, Kguske, Palbin, Guardian and Montego for stepping in to help with Advertising in my absence or distraction (some of both). While it looks like RickLeigh's immediate problem is resolved with Palbin's code, we will need to do something more systematic for the 2.4.01 patch release.

Just to explain a little, I stepped in to fix up the advertising module a bit when I noticed a bunch of compliance type errors on my own site(s). It turned out that the problems were much more serious than just compliance, there were SQL errors scattered through the various functions as well as some seriously user unfriendly editing in the screens.

I think that I succeeded in both tightening up the editing (and systematizing the validation) while at the same time making the screens friendlier. (One example: you get different input screens for ads that are code versus image or flash so you don't have to guess which fields to fill out to go with each (and get wacked with an error message and have all your input wiped out if you guessed wrong)).

Unfortunately I didn't know what kind of input folks were putting in their buy_links and ad_code fields. The edits in 2.4 allow through any html that's listed in the $AllowableHTML array in rnconfig but that does not include, for instance forms and buttons that people are using with Paypal buttons. So, we need to fix that.

Such is the price and pace of progress.
 
View user's profile Send private message Visit poster's website
rickleigh
PostPosted: Mon Oct 26, 2009 3:11 pm Reply with quote

fkelly wrote:
First thanks to my fellow team members, Kguske, Palbin, Guardian and Montego for stepping in to help with Advertising in my absence or distraction (some of both). While it looks like RickLeigh's immediate problem is resolved with Palbin's code, we will need to do something more systematic for the 2.4.01 patch release.


I want to thank you all as well and hope that everyone understands that this frustration had nothing to do with you guys. Being that I am a php student and sites like this acting as my teacher, I had no clue if these problems were something in the code or the fact that my host made changes to their servers. So, I hope everyone helping with my problems that are being posted here understands that I am a good follower of instructions, but when it comes to understanding what is causing it "code/server" I have know clue until I receive your guidance.

I have a few other issues that will be posted seeking your help, but not stopping my site from functioning at this time. So, again thanks for everything you guys do and hope to continue receiving your input.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> FCKeditor/WYSIWYG Issues

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©