Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.6.x
Author Message
neralex
The Mouse Is Extension Of Arm


Joined: Aug 22, 2007
Posts: 1295
Location: Germany

PostPosted: Fri Jun 27, 2014 1:12 pm Reply with quote

How the title it says, i have a issue with the sentinel in RN25x with a typed iframe-tag as user in the text-fields while storing data in the database. As admin this issue isn't exist. Where I can change this rule for the sentinel that normal users can use the iframe-tag?


Last edited by neralex on Sat Aug 20, 2016 10:53 am; edited 2 times in total 
View user's profile Send private message
nuken
RavenNuke(tm) Development Team


Joined: Mar 11, 2007
Posts: 2024
Location: North Carolina

PostPosted: Fri Jun 27, 2014 4:17 pm Reply with quote

I think you just need to add it to the Allowablehtml array in rnconfig.

_________________
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Send e-mail Visit poster's website
neralex
PostPosted: Sat Jun 28, 2014 10:12 am Reply with quote

That was my first idea but the tag is inside the array and as admin I can store the iframe-tag without a hit. This array has no restrictions for user/admins and the other thing is I'm getting a sentinel block-page with Abuse-Script.

In nukesentinel.php I found this:

php Code:
function var_scripting_recursive($array, $type, $blocker_row) {

foreach ($array as $sec_key => $secvalue) {
if (is_array($secvalue)) {
var_scripting_recursive($secvalue, $type, $blocker_row);
} else {
if ($type == 'get') {
if((preg_match('/<[^>]script*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]*object*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]*iframe*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]*applet*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]*meta*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]style*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]*form*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]*img*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]*onmouseover*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]body*\"?[^>]*>/i', $secvalue) && !preg_match('/<[^>]tbody*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/\([^>]*\"?[^)]*\)/i', $secvalue)) ||
(strstr($secvalue, '\"')) ||
(stristr($sec_key, 'forum_admin')) ||
(stristr($sec_key, 'inside_mod'))) {
block_ip($blocker_row);
}
}
if ($type == 'post'){
if(( preg_match('/<[^>]*iframe*\"?[^>]*/i', $secvalue)) ||
( preg_match('/<[^>]*object*\"?[^>]*/i', $secvalue)) ||
( preg_match('/<[^>]*applet*\"?[^>]*/i', $secvalue)) ||
( preg_match('/<[^>]*meta*\"?[^>]*/i', $secvalue)) ||
( preg_match('/<[^>]*onmouseover*\"?[^>]*/i', $secvalue)) ||
( preg_match('/<[^>]script*\"?[^>]*/i', $secvalue)) ||
( preg_match('/<[^>]body*\"?[^>]*>/i', $secvalue) && !preg_match('/<[^>]tbody*\"?[^>]*>/i', $secvalue)) ||
( preg_match('/<[^>]style*\"?[^>]*/i', $secvalue))) {
block_ip($blocker_row);
}
}
}
}
}


I changed it to this one:

php Code:
function var_scripting_recursive($array, $type, $blocker_row) {

foreach ($array as $sec_key => $secvalue) {
if (is_array($secvalue)) {
var_scripting_recursive($secvalue, $type, $blocker_row);
} else {
if ($type == 'get') {
if((preg_match('/<[^>]script*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]*object*\"?[^>]*>/i', $secvalue)) ||
#(preg_match('/<[^>]*iframe*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]*applet*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]*meta*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]style*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]*form*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]*img*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]*onmouseover*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/<[^>]body*\"?[^>]*>/i', $secvalue) && !preg_match('/<[^>]tbody*\"?[^>]*>/i', $secvalue)) ||
(preg_match('/\([^>]*\"?[^)]*\)/i', $secvalue)) ||
(strstr($secvalue, '\"')) ||
(stristr($sec_key, 'forum_admin')) ||
(stristr($sec_key, 'inside_mod'))) {
block_ip($blocker_row);
}
}
if ($type == 'post'){
#if(( preg_match('/<[^>]*iframe*\"?[^>]*/i', $secvalue)) ||
if(( preg_match('/<[^>]*object*\"?[^>]*/i', $secvalue)) ||
( preg_match('/<[^>]*applet*\"?[^>]*/i', $secvalue)) ||
( preg_match('/<[^>]*meta*\"?[^>]*/i', $secvalue)) ||
( preg_match('/<[^>]*onmouseover*\"?[^>]*/i', $secvalue)) ||
( preg_match('/<[^>]script*\"?[^>]*/i', $secvalue)) ||
( preg_match('/<[^>]body*\"?[^>]*>/i', $secvalue) && !preg_match('/<[^>]tbody*\"?[^>]*>/i', $secvalue)) ||
( preg_match('/<[^>]style*\"?[^>]*/i', $secvalue))) {
block_ip($blocker_row);
}
}
}
}
}


Note: for websites with many users they have the choice to publish articles or other content in forms is it maybe not the best way to remove the restrictions for iframes but in a time where youtube, soundcloud and other big networks are providing embedded content in iframes and registered users should have the choice to use it in forms to publish their content in RN, then is it a way to solve it.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.6.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©