| Author |
Message |
bry2k
New Member
Joined: Dec 07, 2004
Posts: 12
|
 Posted:
Thu Dec 09, 2004 12:53 am |
|
Hi - I'm fairly new to phpnuke and Nuke Sentinel, so perhaps there is a known workaround, but here's my request.
I find it very limiting that the HTML tag ban in phpnuke applies to all users including the superuser. As the primary site admin and content creator, I need to construct posts with tables, images, styles, etc and post them as news articles. Now with Nuke Sentinel installed, I thought it might be really handy if Sentinel could provide for some way that only superusers, or only specific trusted users (controlled by superuser) could post any HTML/php/script text they want in their posts. Perhaps its as simple as enclosing the whole tag restriction code in config.php to an IF statement, but it would be cool if it could be managed with nuke sentinel. As site superuser, I need to be able to construct a post without any restrictions, while still apply very strict restrictions to guest and regular users.
What do y'all think? Is there already a workaround for this that someone has come up with? And wouldn't be cool if you could manage this with Sentinel?
Feedback appreciated! Thanks!
-Bry |
| |
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Thu Dec 09, 2004 1:27 am |
|
Actually it's not NukeSentinel stopping you, but phpnuke. Look in mainfile.php and you will see code similar to thisCode:foreach ($_GET as $secvalue) {
if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
(eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
(eregi("\"", $secvalue))) {
die ("<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br><br>[ <a href=\"javascript:history.go(-1)\"><b>Go Back</b></a> ]");
}
}
foreach ($_POST as $secvalue) {
if ((eregi("<[^>]script*\"?[^>]*>", $secvalue)) || (eregi("<[^>]style*\"?[^>]*>", $secvalue))) {
die ("<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br><br>[ <a href=\"javascript:history.go(-1)\"><b>Go Back</b></a> ]");
}
}
|
Modify it to read this and see if that helpsCode:if (!is_admin($admin)) {
foreach ($_GET as $secvalue) {
if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
(eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
(eregi("\"", $secvalue))) {
die ("<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br><br>[ <a href=\"javascript:history.go(-1)\"><b>Go Back</b></a> ]");
}
}
foreach ($_POST as $secvalue) {
if ((eregi("<[^>]script*\"?[^>]*>", $secvalue)) || (eregi("<[^>]style*\"?[^>]*>", $secvalue))) {
die ("<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br><br>[ <a href=\"javascript:history.go(-1)\"><b>Go Back</b></a> ]");
}
}
}
|
|
Last edited by Raven on Thu Dec 09, 2004 9:09 am; edited 1 time in total |
|
|
|
|
blith
Client
Joined: Jul 18, 2003
Posts: 977
|
| Posted:
Thu Dec 09, 2004 9:01 am |
|
Raven I received a parse error when I did this... I did a direct copy and paste. |
| |
|
|
|
Raven
|
| Posted:
Thu Dec 09, 2004 9:08 am |
|
My bad - sorry! changeCode:if (!is_admin($admin) {
|
toCode:if (!is_admin($admin)) {
|
|
| |
|
|
|
|
blith
|
| Posted:
Thu Dec 09, 2004 9:16 am |
|
|
|
|
|
bry2k
|
| Posted:
Thu Dec 09, 2004 9:46 am |
|
Raven, does "is_admin" only resolve to true if the user is superuser, or is it true if the user is any admin user? Is there a way to differentiate? ie - case: superuser, case: admin, case: user
Also, is that chunk of code the only function in phpNuke where the code is parsed to check for restricted HTML tags, or does that 'if' statement need to be applied in any other places as well?
Thanks!
-Bry |
| |
|
|
|
|
Raven
|
| Posted:
Thu Dec 09, 2004 9:49 am |
|
is_admin($admin) will determine if the value in $admin is an admin - period.
No other code should be needed. |
| |
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
| Posted:
Mon Dec 13, 2004 10:35 pm |
|
I am confused. I added the IF condition around the foreach and tried to create a NEW Story using the Admin link as such and get the Nuke Sentinel "Ban" message. I thought bry2k was looking to "could post any HTML/php/script text they want in their posts". I am getting banned trying to do this. (Luckily I have "protect admin" turned on.)
Am I missing the original intent of his original post? I would sure love the feature he is recommending. I, too, believe that the superuser/admin should be allowed to any and all HTML at his/her disposal to jazz-up their messages, News, forums, etc. |
| |
|
|
|
|
TheosEleos
Life Cycles Becoming CPU Cycles
Joined: Sep 18, 2003
Posts: 960
Location: Missouri
|
| Posted:
Tue Dec 21, 2004 10:14 pm |
|
I get this error when I try this fix on my 7.5 site.
Call to a member function on a non-object in /home/blabla/public_html/blablabla/mainfile.php on line 228
nuke 7.5 with newest chatserv patch. |
_________________
Only registered users can see links on this board! Get registered or login! |
|
 |
|
TheosEleos
|
| Posted:
Thu Dec 23, 2004 6:06 pm |
|
|
|
|
|
Raven
|
| Posted:
Thu Dec 23, 2004 6:34 pm |
|
You must have some kind of a typo because it's the exact code that I use. |
| |
|
|
|
|
TheosEleos
|
| Posted:
Thu Dec 23, 2004 6:49 pm |
|
I have this code in mainfile.php
Code:
foreach ($_GET as $secvalue) {
if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*onmouseover*\"?[^>]*>", $secvalue)) ||
(eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
(eregi("\"", $secvalue)) ||
(eregi("forum_admin", $var_name)) ||
(eregi("inside_mod", $var_name))) {
die ("<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br><br>[ <a href=\"javascript:history.go(-1)\"><b>Go Back</b></a> ]");
}
}
foreach ($_POST as $secvalue) {
if ((eregi("<[^>]*onmouseover*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*script*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*style*\"?[^>]*>", $secvalue))) {
die ("<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br><br>[ <a href=\"javascript:history.go(-1)\"><b>Go Back</b></a> ]");
}
}
|
I replaced it with your code above and get that error. |
| |
|
|
|
|
Raven
|
| Posted:
Thu Dec 23, 2004 7:31 pm |
|
Did you bother to put a closing brace at the end?
if (is_admin($admin)) {
// blah blah
}
 |
| |
|
|
|
|
TheosEleos
|
| Posted:
Thu Dec 23, 2004 8:33 pm |
|
All I did was copy and paste from your above.
I guess thre was an extra space or something.
I don't even understand how braces work, lol.
I'm such a newbie!
I did get it fixed, so thanks. |
| |
|
|
|
|
TheosEleos
|
| Posted:
Thu Dec 23, 2004 11:21 pm |
|
I still have it wrong. I get that error when logged in as admin.
 |
| |
|
|
|
|
Raven
|
| Posted:
Fri Dec 24, 2004 12:09 am |
|
It's actuallyCode:if (!is_admin($admin)) {
// blah blah
}
|
|
| |
|
|
|
|
Nukeum66
Life Cycles Becoming CPU Cycles
Joined: Jul 30, 2003
Posts: 551
Location: Neurotic, State, USA
|
| Posted:
Fri Dec 24, 2004 12:11 am |
|
look at the end of your code and make sure it has 3 close tags:
and not 2:
|
_________________
Scott Johnson MIS Ubuntu/Linux 11.10 |
|
|
|
|
TheosEleos
|
| Posted:
Fri Dec 24, 2004 12:25 am |
|
I don't understand why just a simple copy and paste of what Raven has posted up there won't work on my 7.5. It worked just fine on my 7.4.
Ah well, I'm going to bed. |
| |
|
|
|
|
lochball
New Member
Joined: Dec 03, 2004
Posts: 17
|
| Posted:
Fri Dec 24, 2004 4:18 pm |
|
I introduced it in my system (7.5, 2.1.1) and it works well. Before that I simply tried to fool out the system by using some sort of html entities - but that's only patch work...
Greetings. |
_________________
Unihockey is much more than only a new sporting activity... |
|
|
|
|
TheosEleos
|
| Posted:
Sat Dec 25, 2004 4:09 pm |
|
I tried this before installing Sentinel. Does Sentinel have to be installed for this code change to work? |
| |
|
|
|
|
Raven
|
| Posted:
Sat Dec 25, 2004 4:11 pm |
|
No. It has nothing to do with NukeSentinel. It's simply a "wrapper" around that code. |
| |
|
|
|
|
TheosEleos
|
| Posted:
Sat Dec 25, 2004 4:44 pm |
|
Well, then I suck at this and should have my moderator status revoked! |
| |
|
|
|
|
Raven
|
| Posted:
Sat Dec 25, 2004 6:02 pm |
|
Is $admin renamed in 7.5? |
| |
|
|
|
|
TheosEleos
|
| Posted:
Sun Dec 26, 2004 9:43 am |
|
I didn't change anything from the default install. |
| |
|
|
|
|
manunkind
Client
Joined: Apr 26, 2004
Posts: 368
Location: Albuquerque, NM
|
| Posted:
Mon Dec 27, 2004 10:18 am |
|
Thanks Raven! This has been bugging me for awhile now. Didn't realize how simple the fix was. |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
