How to prevent the HTML editor from filtering attributes

Posted: Sun Jun 07, 2009 7:41 pm

I always have this question when I want to paste a script on my forum and doesnt allow me to post so I have to disable html

I have the same problem that I can even make any post like I did before here. Can u please tell me exactly if there is a way that only administrator can make post with script but users dont allow it. This is something I wanna solve.

Example

Code:

        $str = stripslashes($str); 





        $htmlAttributes = array("[Cc][Hh][Aa][Rr][Ss][Ee][Tt]", 


                                "[Cc][Oo][Oo][Rr][Dd][Ss]", 


                                "[Hh][Rr][Ee][Ff][Ll][Aa][Nn][Gg]", 


                                "[Nn][Aa][Mm][Ee]", 


                                "[Rr][Ee][Ll]", 


                                "[Rr][Ee][Vv]", 


                                "[Ss][Hh][Aa][Pp][Ee]", 


                                "[Tt][Yy][Pp][Ee]", 


                                "[Ii][Dd]", 


                                "[Cc][Ll][Aa][Ss][Ss]", 


                                "[Tt][Ii][Tt][Ll][Ee]", 


                                "[Ss][Tt][Yy][Ll][Ee]", 


                                "[Dd][Ii][Rr]", 


                                "[Ll][Aa][Nn][Gg]", 


                                "[Xx][Mm][Ll]:[Ll][Aa][Gg]", 


                                "[Tt][Aa][Bb][Ii][Nn][Dd][Ee][Xx]", 


                                "[Aa][Cc][Cc][Ee][Ss][Ss][Kk][Ee][Yy]", 


                                "[Oo][Nn][Ff][Oo][Cc][Uu][Ss]", 


                                "[Oo][Nn][Bb][Ll][Uu][Rr]", 


                                "[Oo][Nn][Cc][Ll][Ii][Cc][Kk]", 


                                "[Oo][Nn][Dd][Bb][Ll][Cc][Ll][Ii][Cc][Kk]", 


                                "[Oo][Nn][Mm][Oo][Uu][Ss][Ee][Dd][Oo][Ww][Nn]", 


                                "[Oo][Nn][Mm][Oo][Uu][Ss][Ee][Uu][Pp]", 


                                "[Oo][Nn][Mm][Oo][Uu][Ss][Ee][Oo][Vv][Ee][Rr]", 


                                "[Oo][Nn][Mm][Oo][Uu][Ss][Ee][Mm][Oo][Vv][Ee]", 


                                "[Oo][Nn][Mm][Oo][Uu][Ss][Ee][Oo][Uu][Tt]", 


                                "[Oo][Nn][Kk][Ee][Yy][Pp][Rr][Ee][Ss][Ss]", 


                                "[Oo][Nn][Kk][Ee][Yy][Dd][Oo][Ww][Nn]", 


                                "[Oo][Nn][Kk][Ee][Yy][Uu][Pp]" 


                                ); 





        foreach ($htmlAttributes as $attrib) { 


                $searchString = $attrib."[[:space:]]*=[[:space:]]*\"[^\"]*\""; 


                $str = eregi_replace($searchString, '', $str); 


                $searchString = $attrib."[[:space:]]*=[[:space:]]*'[^']*'"; 


                $str = eregi_replace($searchString, '', $str); 


                $searchString = $attrib."[[:space:]]*=[[:space:]]*[^ ]*[[:space:]]"; 


                $str = eregi_replace($searchString, '', $str); 


        } 





        echo "New string: $str"; 





?>

I see that as a user I can do this. Can u be specific to me how I can implement this so Admin can post and users too but everything should be secure. Shocked

Regular Joined: Mar 16, 2005 Posts: 74

One of fundamental solution is not to check html tags and attributes in html array. With this method any nuke will never settle down this problem.
In my opinion, this comes from handy coding and temporal cope.

The fundamental solution that I implemented was that adding a flag (such as 'allowHtml' flag) and make it accompany with any types of posts (like news, contents, download, reviews, and many others).
Now, when an admin posts, the admin click on 'allowHtml' flag and call a function (htmlentity function and related ones defined in mainfile.php) will not work only when this flag is ON.
For the end-user side, simply don't show the flag (like < input type='hidden' name='allowHtml' value='0' / > <-- always 0 and hide it to users).
In this way, you can allow full HTML selectively. As long as only admin can post it with html in this way, security does not matter. This solution does not relate to any security debate.

One of my great disappointment on all types of NUKE is that coding does not go based on fundamental and systematic idea.
the html and stripping them out is one examplar.

Pleas don't ask me to show the whole implmentation in terms of php codes because there are some places to edit and add too much.
My explanation came from running versions of NUKE not for the public.
I hope others will find much efficent way to manage the problem like yours. However, the present html stripping is not the ultimate and bottom-line solution.

Posted: Mon Jun 08, 2009 8:11 am

I understand u dont want to show your implementation because of the amount of codes u need to edit, but I can not find any addon with explanation of this issue. Here I can post any code and it allows me to do that. I love that. How can I do that? I will check if this is possible on RN 2.30.01. Thank for your answer

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

It sounds as if you two are talking about different things.

sexycoder, are you looking for a forums mod that allows you to post code (and display it as code, not execute it) in the forums?

Posted: Tue Jun 09, 2009 1:41 am

Quote:

are you looking for a forums mod that allows you to post code (and display it as code, not execute it) in the forums?

Something like that which doent comprimise our secutity issue or if I post a script on the forum from users or administrators dont cause any problem. Here I can paste any code I guess and I would like to have the mainfile from here but I will test first or take a look at the mainfile to see if I can post here the same code I posted before. Thanks for replying. I appriciate every word which helps us understanding this secutity issue.

Posted: Tue Jun 09, 2009 5:31 am

I'll check to see if I can find which forum mod supports that.

It sounds like toolbox is concerned with HTML filtering outside of the forums. We have been reviewing alternate approaches to filtering, and are working on that now. I believe there are topics elsewhere here where that is discussed, and we welcome any addition input you might have on that.

Posted: Tue Jun 09, 2009 9:36 am

Hi toolbox

I read again your post and I like the idea. Why not? it is a very interesting idea because u check or uncheck and option and then html is allow.

Quote:

Pleas don't ask me to show the whole implmentation in terms of php codes because there are some places to edit and add too much

Can u make an addon to do that. I know u post above it could be a lot but can u give the example files u edit on mainfile.php or other files u have been working?

Thanks in advance!

My idea is this option should be apart from the mainfile.php or other files from the core. We must do that to the FORUMS ONLY. Then it will be nice. I dont know. I am really confused with this point of filtering atributes and there is not so much explanation about this. Everybody is completly lost on this. Shocked

registered · Posted: Wed Jun 10, 2009 6:29 pm

sexycoder, you say that you can post any HTML here in the forums. Have you tried the same over at http://ravennuke.com? I was thinking this was already in place for the latest RN version... but, please, do not quote me on that. Shocked