HTML/BBcode in Signature not working

Regular Joined: Oct 22, 2003 Posts: 59

www.fites.net

I cannot get pictures to disply in the users sigs.

I have tried both:

Code:




[img]http://www.url.com/graphic.jpg[/img]

and

Code:




<img src=http://www.url.com/graphic.jpg>

am I doing something wrong?

Posted: Mon May 10, 2004 4:46 pm

Open your account and look for the insert and select statements and see what filtering is applied to the variable. check_html($var, nohtml) and htmlspecialchars($var) will both prevent html image tags.

The safest (In my opinion) option would be to get the KSES filter from sourceforge and use that with a an array that allowed <img. But thats just my opinion. Its a little under documented but its more simple then it appears at first.

But due to the size of the text field it is very important not to leave it unprotected.

Posted: Mon May 10, 2004 5:07 pm

I'm sorry... I guess I am more of a newbie that I thought.

I didnt understand your entire post Embarassed

Posted: Mon May 10, 2004 5:13 pm

Sorry what version of phpnuke and is your account the default one that came with it? For some reason the checks on that one have changed a few times so its hard to tell you whats to be changed without actually looking.

Posted: Mon May 10, 2004 5:19 pm

I have Ravens 7.0 Distro.

I am the site admin

What files am I looking in for the information you need?

Posted: Mon May 10, 2004 5:24 pm

Ok is that with the latest patch files applied?

Your_Account/index.php

Posted: Mon May 10, 2004 5:32 pm

here is a screenshot of my options for my profile:

Posted: Mon May 10, 2004 5:33 pm

Ok what your looking for is most likely this in Your_Account/index.php

In function saveuser

Around line 958 you'll find
$user_sig = htmlspecialchars($user_sig);
Try commenting out that
//$user_sig = htmlspecialchars($user_sig);
Then under that put
$user_sig = $user_sig;

Now this is unprotected but we'll get to that next lets see if this fixes the problem first.

Posted: Mon May 10, 2004 5:34 pm

sixonetonoffun wrote:

Ok is that with the latest patch files applied?

Your_Account/index.php

No, I havent patched anything...

Code:




removed

Posted: Mon May 10, 2004 5:35 pm

ooooooooh.... sorry... I was wayy off... lemme see

Posted: Mon May 10, 2004 5:38 pm

YES! That worked!

Is there more to this for security purposes?

Posted: Mon May 10, 2004 6:00 pm

Pm me your email please there is something in my code that won't go through the filtering here. Probably comments ? I'll send you the details to secure the variable again.

Posted: Mon May 10, 2004 6:25 pm

Thank you, I believe its fixed. You guys always go above and beyond... thank you!!! Very Happy

Posted: Mon May 10, 2004 6:45 pm

For anyone who wants to try what we did next I'll try posting the additions without the the comments.

Yes sir now what I recomend is to download the class kses from here
http://sourceforge.net/projects/kses/
Backup your current files and apply these changes to the latest CS patched series files on the main page here. Upload the Patched patch files and test again.

Extract and grab the file from it kses.php
Upload kses.php to your webroot where mainfile.php lives.

Download your mainfile.php and after the lines
if (eregi("mainfile.php",$_SERVER['PHP_SELF'])) {
Header("Location: index.php");
die();
}
add these 2 arrays and 1 function

Code:




// KSES array see KSES readme to tweak settings 


               $allowed_protocols = array('http', 'https', 'ftp', 'news', 'nntp', 'telnet', 'gopher', 'mailto');


               // KSES allowed tags array 


               // This is a loose filtering array


               $allowed = array('pre' => array('align' => 1),


                                'strong' => array(),


                                'hr' => array(),


                                'div' => array('align' => 1),


                                'img' => array('alt' =>1, 'src' => 1, 'hspace' => 1, 'vspace' => 1, 'border' => 1),


                                'table'=> array('align' => 1, 'border' => 1, 'cell' =>1),


                                'tr' => array('align' => 1),


                                'td' => array(),


                                'ul' => array(),


                                'li' => array(),


                                'ol' => array(),


                                'a' => array('href' => 1, 'target' => 1, 


                                             'title' => array('minlen' => 4, 'maxlen' => 100)), 


                                'font' => array('face' => 1, 'style' =>1, 'color' => 1,


                                                'size' => array('minval' => 1, 'maxval' => 7)),


                                'p' => array('align' => 1),


                                'b' => array(),


                                'i' => array(),


                                'u' => array(),


                                'em' => array(),


                                'br' => array());         





         // End KSES Options


function my_stripslashes( $text )


        {


               if( get_magic_quotes_gpc() == 1 )


               {


                return( stripslashes( $text ));


               }


               


                return( $text );


        }

Now in Your_Account index.php at the top
after:
$userpage = 1;
add:
include("kses.php");

Then change the line
$user_sig = $user_sig; or $user_sig = htmlspecialchars($user_sig);
to:
$user_sig = kses(my_stripslashes($user_sig,$allowed));

That should now filter out all but the html tags allowed in the array above. (Note most likely that includes bbcode but I've never tested that. (There is room for improvement in the array its just what I had real quick to post).

If you really need bbcode or just think this is a pain in the rear and want to use something simpler just shout back. I think this is a very safe smart way to protect large text fields like this one. (It was originally created for a phpnuke clone for just this sort of thing).

Client Joined: Jan 29, 2004 Posts: 624

This looks good, sixone. I always like to try things I haven't before so I'll give it a whirl. If it stops XSS and DOS it's worth it. Congrats on your promotion to admin. Smile

Posted: Mon May 10, 2004 10:11 pm

Thanks but this week it will be most like slave I think wink* I'm sure to get demoted after I confuse a few more people.

I just thought it really fit the nitch. If the check_html() has some more options someone should clue me in but I don't think its that flexable. In an ideal world I'd like to see this used for all the large text areas. Its really well tested (Geeklog uses the OOP class I think they more or less contributed it to the project?)

I really think it approaches the security of bbcode and its as flexable as the array of allowed tags and attributes. I haven' t followed its mail groups or anything but I'd imagine there are some nicer examples floating around now.

Posted: Mon May 10, 2004 10:32 pm

Ah I woulda been demoted after 15 minutes. Smile

No way you could confuse the peeps more'n this ol' southern wolf haha
Anyway I understood your directions clear as day. First I need to put on chatserv's 7.1 patches, if I haven't already then the kses stuff. I don't want ftp in the array though so I'll remove it, and telnet.

Posted: Wed May 12, 2004 4:04 pm

I am back again... *waits for the cringe*

While it seems that everything we did to get the sigs to work on my site has worked, there seems to be a little problem.

Only I (assuming all admins) can input the signature for the users and have it work.

If I put in the standard <img src=http://www.url.com/picture1.gif> it works fine in everyone's sigs.

If they put in the exact same line, it doesnt work. The line is still there, but nothing shows up.

any thoughts?

Posted: Wed May 12, 2004 4:29 pm

I spose we missed a htmlspecialchars() someplace. Does it show in there Your_Account and not in the profile and forums or?

Posted: Wed May 12, 2004 4:46 pm

hard for me to tell, from what I see when I go into their profile after they "complain" about it, the sig box is empty.

Posted: Wed May 12, 2004 4:59 pm

This should get by the filter we installed (I've tested that for sure)
<IMG alt="" hspace="0" src="http://www.netflake.com/images/verification_seal.gif" border="0">

But at your site when I put the in my profile it doesn't show when I preview a post so I tried it in the post too because I was curious. It doesn't work there either so I figure there is some other place htmlspecialchars() is filtering both. Because html is enabled on the site and in the post I tested in.

Posted: Wed May 12, 2004 5:16 pm

as far as I can tell, the forums on FITES doesnt allow html code... not sure why tho.

also, make sure you have signatures turned on in your profile on fites...

hmmmm

Posted: Wed May 12, 2004 5:19 pm

Yes I did all that but it does say html enabled Uhg!

Posted: Wed May 12, 2004 5:31 pm

I know....

and this is Raven's Release (hides behind corner) haha

Posted: Wed May 12, 2004 5:33 pm

Heres a funny I just checked on a test site and its the same crud.
But I could create a new forum and insert that image in the description lol!

Funny funny!