Allowed HTML tags feature request

bry2k · New Member Joined: Dec 07, 2004 Posts: 12

Hi - I'm fairly new to phpnuke and Nuke Sentinel, so perhaps there is a known workaround, but here's my request.

I find it very limiting that the HTML tag ban in phpnuke applies to all users including the superuser. As the primary site admin and content creator, I need to construct posts with tables, images, styles, etc and post them as news articles. Now with Nuke Sentinel installed, I thought it might be really handy if Sentinel could provide for some way that only superusers, or only specific trusted users (controlled by superuser) could post any HTML/php/script text they want in their posts. Perhaps its as simple as enclosing the whole tag restriction code in config.php to an IF statement, but it would be cool if it could be managed with nuke sentinel. As site superuser, I need to be able to construct a post without any restrictions, while still apply very strict restrictions to guest and regular users.

What do y'all think? Is there already a workaround for this that someone has come up with? And wouldn't be cool if you could manage this with Sentinel?

Feedback appreciated! Thanks!

-Bry

Raven · Posted: Thu Dec 09, 2004 1:27 am

Actually it's not NukeSentinel stopping you, but phpnuke. Look in mainfile.php and you will see code similar to this

Code:

foreach ($_GET as $secvalue) {
if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
(eregi("$[^>]*\"?[^)]*$", $secvalue)) ||
(eregi("\"", $secvalue))) {
die ("<center><img src=images/logo.gif> The html tags you attempted to use are not allowed [ <a href=\"javascript:history.go(-1)\">Go Back</a> ]");
}
}

foreach ($_POST as $secvalue) {
if ((eregi("<[^>]script*\"?[^>]*>", $secvalue)) || (eregi("<[^>]style*\"?[^>]*>", $secvalue))) {
die ("<center><img src=images/logo.gif> The html tags you attempted to use are not allowed [ <a href=\"javascript:history.go(-1)\">Go Back</a> ]");
}
}

Modify it to read this and see if that helps

Code:

if (!is_admin($admin)) {
foreach ($_GET as $secvalue) {
if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
(eregi("$[^>]*\"?[^)]*$", $secvalue)) ||
(eregi("\"", $secvalue))) {
die ("<center><img src=images/logo.gif> The html tags you attempted to use are not allowed [ <a href=\"javascript:history.go(-1)\">Go Back</a> ]");
}
}

foreach ($_POST as $secvalue) {
if ((eregi("<[^>]script*\"?[^>]*>", $secvalue)) || (eregi("<[^>]style*\"?[^>]*>", $secvalue))) {
die ("<center><img src=images/logo.gif> The html tags you attempted to use are not allowed [ <a href=\"javascript:history.go(-1)\">Go Back</a> ]");
}
}
}

blith · Client Joined: Jul 18, 2003 Posts: 977

Raven I received a parse error when I did this... I did a direct copy and paste.

Raven · Posted: Thu Dec 09, 2004 9:08 am

My bad - sorry! change

Code:

if (!is_admin($admin) {

to

Code:

if (!is_admin($admin)) {

blith · Client Joined: Jul 18, 2003 Posts: 977

That did it. Thank you.

bry2k · New Member Joined: Dec 07, 2004 Posts: 12

Raven, does "is_admin" only resolve to true if the user is superuser, or is it true if the user is any admin user? Is there a way to differentiate? ie - case: superuser, case: admin, case: user

Also, is that chunk of code the only function in phpNuke where the code is parsed to check for restricted HTML tags, or does that 'if' statement need to be applied in any other places as well?

Thanks!

-Bry

Raven · Posted: Thu Dec 09, 2004 9:49 am

is_admin($admin) will determine if the value in $admin is an admin - period.

No other code should be needed.

montego · Posted: Mon Dec 13, 2004 10:35 pm

I am confused. I added the IF condition around the foreach and tried to create a NEW Story using the Admin link as such and get the Nuke Sentinel "Ban" message. I thought bry2k was looking to "could post any HTML/php/script text they want in their posts". I am getting banned trying to do this. (Luckily I have "protect admin" turned on.)

Am I missing the original intent of his original post? I would sure love the feature he is recommending. I, too, believe that the superuser/admin should be allowed to any and all HTML at his/her disposal to jazz-up their messages, News, forums, etc.

TheosEleos · Posted: Tue Dec 21, 2004 10:14 pm

I get this error when I try this fix on my 7.5 site.

Call to a member function on a non-object in /home/blabla/public_html/blablabla/mainfile.php on line 228

nuke 7.5 with newest chatserv patch.

TheosEleos · Posted: Thu Dec 23, 2004 6:06 pm

help!

Raven · Posted: Thu Dec 23, 2004 6:34 pm

You must have some kind of a typo because it's the exact code that I use.

TheosEleos · Posted: Thu Dec 23, 2004 6:49 pm

I have this code in mainfile.php

Code:

foreach ($_GET as $secvalue) {
if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*onmouseover*\"?[^>]*>", $secvalue)) ||
(eregi("$[^>]*\"?[^)]*$", $secvalue)) ||
(eregi("\"", $secvalue)) ||
(eregi("forum_admin", $var_name)) ||
(eregi("inside_mod", $var_name))) {
die ("<center><img src=images/logo.gif> The html tags you attempted to use are not allowed [ <a href=\"javascript:history.go(-1)\">Go Back</a> ]");
}
}

foreach ($_POST as $secvalue) {
if ((eregi("<[^>]*onmouseover*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*script*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*style*\"?[^>]*>", $secvalue))) {
die ("<center><img src=images/logo.gif> The html tags you attempted to use are not allowed [ <a href=\"javascript:history.go(-1)\">Go Back</a> ]");
}
}

I replaced it with your code above and get that error.

Raven · Posted: Thu Dec 23, 2004 7:31 pm

Did you bother to put a closing brace at the end?

if (is_admin($admin)) {
// blah blah
}

ROTFL

TheosEleos · Posted: Thu Dec 23, 2004 8:33 pm

All I did was copy and paste from your above.

I guess thre was an extra space or something.

I don't even understand how braces work, lol.

I'm such a newbie!

I did get it fixed, so thanks.

TheosEleos · Posted: Thu Dec 23, 2004 11:21 pm

I still have it wrong. I get that error when logged in as admin.

Neutral

Raven · Posted: Fri Dec 24, 2004 12:09 am

It's actually

Code:

if (!is_admin($admin)) {
// blah blah
}

Nukeum66 · Posted: Fri Dec 24, 2004 12:11 am

look at the end of your code and make sure it has 3 close tags:

Code:

}
}
}

and not 2:

Code:

}
}

TheosEleos · Posted: Fri Dec 24, 2004 12:25 am

I don't understand why just a simple copy and paste of what Raven has posted up there won't work on my 7.5. It worked just fine on my 7.4.

Ah well, I'm going to bed.

lochball · New Member Joined: Dec 03, 2004 Posts: 17

I introduced it in my system (7.5, 2.1.1) and it works well. Before that I simply tried to fool out the system by using some sort of html entities - but that's only patch work...

Greetings.

TheosEleos · Posted: Sat Dec 25, 2004 4:09 pm

I tried this before installing Sentinel. Does Sentinel have to be installed for this code change to work?

Raven · Posted: Sat Dec 25, 2004 4:11 pm

No. It has nothing to do with NukeSentinel. It's simply a "wrapper" around that code.

TheosEleos · Posted: Sat Dec 25, 2004 4:44 pm

Well, then I suck at this and should have my moderator status revoked! ROTFL

Raven · Posted: Sat Dec 25, 2004 6:02 pm

Is $admin renamed in 7.5?

TheosEleos · Posted: Sun Dec 26, 2004 9:43 am

I didn't change anything from the default install.

manunkind · Posted: Mon Dec 27, 2004 10:18 am

Thanks Raven! This has been bugging me for awhile now. Didn't realize how simple the fix was.