Yet Another issue found (This is getting old!)>FIXED

rickleigh · Worker Joined: Jan 06, 2009 Posts: 183

Well as I continue to test the editor, I now find that when I try to save a script in the Advertising Module it doesn't save to the DB. I turned on error logging and its not giving any errors.

My host said that they have reverted back to the old PHP ver. So it shouldn't be an issue anymore. They are also saying that there are to many third party systems out there and they don't support them. Basically saying that there done working on these issues with the FCKeditor Evil or Very Mad

Upsets me because I had no issues until they changed things on their server.

So far I have only found that the FCKeditor has been effected. Would anyone that understands what this feature needs from the host be willing to call my host and provide them with the info thy need/was in place before to get this working?

I don't now what else to do besides change host which I don't have the money for at this time. Evil or Very Mad

kguske · Site Admin Joined: Jun 04, 2004 Posts: 6044

This isn't an issue with FCKeditor, but with the Advertising module. It needs to allow administrators to save javascript.

rickleigh · Worker Joined: Jan 06, 2009 Posts: 183

kguske wrote:

This isn't an issue with FCKeditor, but with the Advertising module. It needs to allow administrators to save javascript.

How can this be fix and how would it have changed from it working before?

Thanks,
Rick

kguske · Site Admin Joined: Jun 04, 2004 Posts: 6044

I don't believe the Advertising module used the visual editor before, and it probably didn't use the HTML checking that goes with it. We can probably change it to not do HTML checking on the admin function (i.e. creating an ad). fkelly worked on that and may be able to shed some light on it.

Guardian2003 · Posted: Tue Oct 20, 2009 10:39 am

The Advertising module has never allowed java script to be saved as it is usually stripped for security purposes. If you really, really must have it, the only way around it at the moment is to create your ad with some dummy code, save it, then change it in the database directly.

kguske · Site Admin Joined: Jun 04, 2004 Posts: 6044

It did use the editor before, but now has this statement in modules/Advertising/admin/index.php:

Code:

$ad_code = mysql_real_escape_string(check_html($ad_code, ''));

That code is in 2 places (adding, editing), and appears to be the reason you can't do what you need (i.e., if you comment out those lines, it might work).

rickleigh · Worker Joined: Jan 06, 2009 Posts: 183

I just noticed that on my RN2.3 install (Live Site) uses a plain texted editor and on the RN2.4 install (Test Site) is using the FCKeditor. Was this an update for the RN2.4 ver.?

The 2.4 also adds another step before getting to the editor vers. the 2.3 goes straight to it. This is not a big deal just trying to explain how my site is setup incase its different from others. Both vers. are standard installs with no mods done to this module.

kguske wrote:

That code is in 2 places (adding, editing), and appears to be the reason you can't do what you need (i.e., if you comment out those lines, it might work).

I was only able to find this code in one area in the index.php from the RN2.4 install.

Guardian2003 wrote:

The Advertising module has never allowed java script to be saved as it is usually stripped for security purposes. If you really, really must have it, the only way around it at the moment is to create your ad with some dummy code, save it, then change it in the database directly.

I did this already to get the ads working for now. Wink

I use the Google ads on my site which is coded with Java script. So I would like to see this working in the Advertising area only if possible.

rickleigh · Worker Joined: Jan 06, 2009 Posts: 183

kguske wrote:

It did use the editor before, but now has this statement in modules/Advertising/admin/index.php:

Code:

$ad_code = mysql_real_escape_string(check_html($ad_code, ''));

That code is in 2 places (adding, editing), and appears to be the reason you can't do what you need (i.e., if you comment out those lines, it might work).

I did end up finding both lines of code. After commenting this out, it allowed me to save the code to the database.

So.. Is this safe to keep like this?

Guardian2003 · Posted: Tue Oct 20, 2009 11:34 am

rickleigh, my apologies for leading you astray, kguske is right, the Advertising module did allow JS before. I was misleading myself as I was using a custom Advertising module until I migrated to RN2.4
The code that kgusle pointed to is in lines 570 and 826 of the modules index file.

Yes FCKeditor was added in RN2.4 to make life a little easier for administrators but please keep in mind that a site can have a number of administrators, some of whom may not be aware of the dangers of javascript if used incorrectly, which is why it is stripped out.

kguske · Site Admin Joined: Jun 04, 2004 Posts: 6044

OK, the 2 lines to comment out are:

Code:

$ad_code = mysql_real_escape_string(check_html($ad_code , ''));
$ad_code = mysql_real_escape_string(check_html($ad_code, ''));

rickleigh · Worker Joined: Jan 06, 2009 Posts: 183

Guardian2003 wrote:

rickleigh, my apologies for leading you astray, kguske is right, the Advertising module did allow JS before. I was misleading myself as I was using a custom Advertising module until I migrated to RN2.4
The code that kgusle pointed to is in lines 570 and 826 of the modules index file.

Yes FCKeditor was added in RN2.4 to make life a little easier for administrators but please keep in mind that a site can have a number of administrators, some of whom may not be aware of the dangers of javascript if used incorrectly, which is why it is stripped out.

Just dont let it happen again Exclamation

J/K
I understand the risk and right now am a one man how for admins on my site Smile

But, If needed I will un-comment out the code and edit the DB for Javascript if other admins are needed Wink

rickleigh · Worker Joined: Jan 06, 2009 Posts: 183

kguske wrote:

OK, the 2 lines to comment out are:

Code:

$ad_code = mysql_real_escape_string(check_html($ad_code , ''));
$ad_code = mysql_real_escape_string(check_html($ad_code, ''));

We must have been typing at the same time. I got them now.

Thanks Guys. Hope I don't find anything else for awhile. My hair is turning grey as I am trying to get my new site live (AKA Testsite) and keep finding these little issues Laughing

Palbin · Posted: Tue Oct 20, 2009 12:20 pm

There are other modules that allow admins to post what ever they want. So this would not be anymore of a security risk than those.

montego · Posted: Sat Oct 24, 2009 8:37 am

And now that we have added CSRF protection in most of the admin areas (plus a few more) it makes this even less of a security risk as "if you cannot trust your admins, then don't make them an admin" (my motto because I hate it when I, as an admin, cannot do whatever it is that I need to do to run my site effectively - and having to edit using phpMyAdmin is not my definition of "effectively").

We'll have to look at this again.

rickleigh · Worker Joined: Jan 06, 2009 Posts: 183

Here is another issue that I beleave has something to do with these changes as well:

Only registered users can see links on this board!
Get registered or login to the forums!

Palbin · Posted: Sat Oct 24, 2009 11:43 pm

You should be doing this in my opinion and commenting out the lines.

Code:

$ad_code = mysql_real_escape_string(check_html($ad_code, 'nocheck'));

fkelly · Posted: Mon Oct 26, 2009 2:22 pm

First thanks to my fellow team members, Kguske, Palbin, Guardian and Montego for stepping in to help with Advertising in my absence or distraction (some of both). While it looks like RickLeigh's immediate problem is resolved with Palbin's code, we will need to do something more systematic for the 2.4.01 patch release.

Just to explain a little, I stepped in to fix up the advertising module a bit when I noticed a bunch of compliance type errors on my own site(s). It turned out that the problems were much more serious than just compliance, there were SQL errors scattered through the various functions as well as some seriously user unfriendly editing in the screens.

I think that I succeeded in both tightening up the editing (and systematizing the validation) while at the same time making the screens friendlier. (One example: you get different input screens for ads that are code versus image or flash so you don't have to guess which fields to fill out to go with each (and get wacked with an error message and have all your input wiped out if you guessed wrong)).

Unfortunately I didn't know what kind of input folks were putting in their buy_links and ad_code fields. The edits in 2.4 allow through any html that's listed in the $AllowableHTML array in rnconfig but that does not include, for instance forms and buttons that people are using with Paypal buttons. So, we need to fix that.

Such is the price and pace of progress.

rickleigh · Worker Joined: Jan 06, 2009 Posts: 183

fkelly wrote:

First thanks to my fellow team members, Kguske, Palbin, Guardian and Montego for stepping in to help with Advertising in my absence or distraction (some of both). While it looks like RickLeigh's immediate problem is resolved with Palbin's code, we will need to do something more systematic for the 2.4.01 patch release.

I want to thank you all as well and hope that everyone understands that this frustration had nothing to do with you guys. Being that I am a php student and sites like this acting as my teacher, I had no clue if these problems were something in the code or the fact that my host made changes to their servers. So, I hope everyone helping with my problems that are being posted here understands that I am a good follower of instructions, but when it comes to understanding what is causing it "code/server" I have know clue until I receive your guidance.

I have a few other issues that will be posted seeking your help, but not stopping my site from functioning at this time. So, again thanks for everything you guys do and hope to continue receiving your input.