nohtml explained

Worker Joined: Dec 05, 2006 Posts: 180

Hey could someone explain to me, what nohtml does.

http://phpnuke.org/modules.php?name=PHP-Nuke_HOWTO&page=allow-special-html-tags.html

My guess would be it does, does not allow html in say subject fieds or titles of pages. Stuff like that?

If I wanted to allow html in those fields (do you think its a good idea?) how would I do that? Im thinking it would be nice to be able to set some subject titles bold or even different font size or colors.

thanks,

j

still trying to learn a bit more php

edit:
ok after reading that a few more times. I would have to create an array in the config.php file using $AllowableHTML. Then I would change all nohtml to check_html right? that is in the files i wish to change and scripts i would like to allow html in.

They are saying that it is a security issue. What codes, if you can tell me should i not allow? would basice codes like bold, font, color and stuff like that effect me any?

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

Close... check_html is a mainfile function used in many places through PHP-Nuke. One of the arguments / parameters determine which HTML tags are valid. If you use "nohtml" all HTML tags will be stripped from the text you are checking.

You can determine which tags are valid by modifying $allowed_html in your config.php. If you allow certain tags or certain extensions for certain tags, you might open up security holes.

For nukeWYSIWYG, we changed the check_html function to accept additional (safe) HTML tags that are commonly used in WYSIWYG mode. We added the kses HTML filter to improve Nuke's ability to verify safe HTML and to provide multiple levels of security (e.g. user vs. admin). You can use the check_html enhancements in nukeWYSIWYG even if you aren't using the WYSIWYG editor.

Posted: Tue Dec 12, 2006 10:58 pm

ok, im using WYSIWYG good stuff. Although two of the images are not working. They are there, and all same permisions and uploaded all the same. :shrugs:

The thing i was looking for is my site seems very monotoned, which i like! but... it would be nice to have certain subject titles stand out. Ill look a bit more into the code.

WYSIWYG is pretty pimp though.

Is it possible to only allow admin rights to full html code? That way if i was to say, submit a story or news, instead of basic html i could have full rights to post a story I created in dreamweaver. I cant code really so i copy and paste hehe.

edit:
thanks

Posted: Tue Dec 12, 2006 11:40 pm

When you use the admin function to create a story (or edit a submitted story), you have more abilities than a regular user. It still uses the check_html function, though.

Posted: Wed Dec 13, 2006 12:12 am

k ill have to learn WYSIWYG, dreamweaver is just easy for me, kinda just copy paste too.

thanks,

j

oh do you know why some images are not showing up? only two of them

Insert/Remove Bulleted List and Insert Horizontal Line

Posted: Wed Dec 13, 2006 3:29 pm

You can paste into WYSIWYG from dreamweaver, I think.

Not sure why the bulleted list and HR tags aren't being displayed. Can you see them when you view the source? If so, it might be the CSS.

Posted: Wed Dec 13, 2006 6:47 pm

I tried to copy and paste, when i do it doesnt save and takes me to like home page or something.

Source you mine the picture its self? yea i can see the picture in ftp, oh wait im a tard, ima try browser. on sec... k yea i can see in broswer. Hmmm that is if im looking for the right one. Im looking in html\includes\FCKeditor\editor\skins\default\toolbar\...

For the bulleted list im looking at bulletedlist.gif but i cant seem to find the horzontal line one. So maybe i just dont have them... Ima go change my database table name right now and later on tonight ill look more into these images.

thanks im a tard hehe

j

oh if you know the names of the images could you tell me, i can check easier that way or if there is another way. Cant right click properties on those images

Client Joined: Jan 29, 2004 Posts: 624

kguske wrote:

When you use the admin function to create a story (or edit a submitted story), you have more abilities than a regular user. It still uses the check_html function, though.

Well, that's my problem. I can't create or edit a story to include images. I could a week ago can't now. Confused

Posted: Thu Feb 01, 2007 7:03 pm

What changed? A file, PHP setting, the HTML you use to post an image?

Posted: Thu Feb 01, 2007 7:33 pm

I upgraded to NukeSentinel 2.5.05 is all I can figure has changed. Now when I try to use an image in a story with the usual < img src tag and hit Preview the entire tag is stripped away when the page comes up. Never seen this happen before.

Posted: Thu Feb 01, 2007 9:36 pm

Very strange. Wasn't aware of any changes to NukeSentinel that might cause this. Did you change your config.php or anything else?

Posted: Fri Feb 02, 2007 10:37 am

Not config.php but I may not have put in the right codes in mainfile.php or header.php for NS 2.5.05. Has any code changed in the upgrade that might affect an admin's ability to post images in stories?

Posted: Fri Feb 02, 2007 2:00 pm

The mainfile.php code for NS™ 25.05.5 could be the prob. Every time I try to comment out the code

Code:




[ FIND 7.0-7.5 ]------------------------------------------


#


if (!defined('ADMIN_FILE') && !file_exists('includes/nukesentinel.php')) {


  foreach ($_GET as $sec_key => $secvalue) {


    if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||


   (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||


   (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||


   (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||


   (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||


   (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||


   (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||


   (eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||


   (eregi("<[^>]*onmouseover*\"?[^>]*>", $secvalue)) ||


   (eregi("<[^>]*body*\"?[^>]*>", $secvalue)) ||


   (eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||


   (eregi("\"", $secvalue)) ||


   (eregi("forum_admin", $sec_key)) ||


   (eregi("inside_mod", $sec_key))) {


        die ($htmltags);


    }


}





foreach ($_POST as $secvalue) {


    if ((eregi("<[^>]*onmouseover*\"?[^>]*>", $secvalue)) || (eregi("<[^>]script*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*body*\"?[^>]*>", $secvalue)) || (eregi("<[^>]style*\"?[^>]*>", $secvalue))) {


      die ($htmltags);


    }


  }


}





#


#

So it looks like

Code:




[ COMMENT OUT ]------------------------------------------ 


#


//if (!defined('ADMIN_FILE') && !file_exists('includes/nukesentinel.php')) {


//  foreach ($_GET as $sec_key => $secvalue) {


//    if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||


//   (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||


//   (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||


//   (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||


//   (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||


//   (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||


//   (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||


//   (eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||


//   (eregi("<[^>]*onmouseover*\"?[^>]*>", $secvalue)) ||


//   (eregi("<[^>]*body*\"?[^>]*>", $secvalue)) ||


//   (eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||


//   (eregi("\"", $secvalue)) ||


//   (eregi("forum_admin", $sec_key)) ||


//   (eregi("inside_mod", $sec_key))) {


//        die ($htmltags);


//    }


//}





//foreach ($_POST as $secvalue) {


//    if ((eregi("<[^>]*onmouseover*\"?[^>]*>", $secvalue)) || (eregi("<[^>]script*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*body*\"?[^>]*>", $secvalue)) || (eregi("<[^>]style*\"?[^>]*>", $secvalue))) {


//      die ($htmltags);


//    }


//  }


//}

like we're told to do in Edits for core files/mainfile.txt I get a blank page and have to restore my backup. This obviously has something to do with an admin's ability to post images so maybe I'm not putting it in my mainfile right.