msg# 1
XOOPS 2.0.16
MyAlbum 2.84
Tiny Editor 1.0
Using TinyEditor Module sitewide on my domain. When adding text in MyAlbum, I get html coding instead of straight text. For example:
"Test<br /><br />Because<br /><br />It has code"
I don't need to use TinyEditor with the MyAlbum module.
But I cannot figure out how to revert back to the non-WYSIWYG editor only for MyAlbum. Or would the 2.9 Beta version of MyAlbum work with TinyEditor and html code?
Votes:12
Average:8.33
msg# 1.1
myAlbum-P never allows HTML for the security reason.
Thus, any WYSIWYG editors work non-sense.
Votes:4
Average:10.00
msg# 1.1.1
Quote:
Thus, any WYSIWYG editors work non-sense.
? What do you mean? Every WYSIWYG editor IS non-sense or PRODUCES non-sense?
From the viewpoint of usability the crippleware XOOPS DHTML editor is non-sense.
As for tinyeditor (or tinyMCE) WYSIWYG is a BIT safer, since this editor uses his own sanitizer. I DO know that client-side sanitizing is not the best thing to rely on, but it is a start. Maybe there should be another server-side sanitizer checking the HTML code again.
Maybe it would be a good option to let the user of your modules decide if they want to use WYSIWYG? Make a BIG FAT warning and you are out of responsibility.
Just a thought, as I know that
is already evil.
Votes:3
Average:6.67
msg# 1.1.1.1
Understand your dislike of of WYSIWYG editors. If there is any way to get around the TinyEditor problem, I'd like to try. Mod'ing the code is fine with me if you could push me in the right direction, I'll experiment or if you know of a way already that would be even better. Thanks for your work on XOOPS.
Question: Where is the proper place to post questions about MyAlbum....here or on dev.xoops? I've become accustomed to posting to both places as usually only one site is monitored in most cases.
Let me know if I should cross post to the dev.xoops site on this matter.
Votes:3
Average:10.00
msg# 1.1.1.2
Quote:
frankblack wrotes:
Quote:Thus, any WYSIWYG editors work non-sense.
? What do you mean? Every WYSIWYG editor IS non-sense or PRODUCES non-sense?
I just means WYSIWYG editors make non-sense for myAlbum-P.
myAlbum-P is a module can be posted by untrusted users usually.
Thus, I disable HTML for the module.
It is just an issue of designing.
Quote:
As for tinyeditor (or tinyMCE) WYSIWYG is a BIT safer, since this editor uses his own sanitizer. I DO know that client-side sanitizing is not the best thing to rely on, but it is a start. Maybe there should be another server-side sanitizer checking the HTML code again.
Client-side sanitizing?
It is really non-sense
Do you know the difference between "Script Insertion"(or HTML Injection) and "XSS" ?
"Allowing HTML" invites "Script Insertion" instead of "XSS".
Only server-side checking can stop malicious POSTs.
And perhaps "sanitizing HTML" at server-side make non-sense too.
Only "rebuilding HTML" at server-side protects sites from ScriptInsertion.
I've written the fact in this site long ago.
Quote:
Maybe it would be a good option to let the user of your modules decide if they want to use WYSIWYG? Make a BIG FAT warning and you are out of responsibility.
I cannot agree with it.
Because myAlbum-P is a module can be posted by untrusted users usually.
The BIG FAT warning makes non-sense for almost site owners.
Thus I always answer "Hack it by yourself with your responsibility" to anybody.
Quote:
Just a thought, as I know that
is already evil.
I cannot understand it.
What's the evil?
<b>b</b> is escaped as <b>b</b> for HTML browser.
It's quite natural.
Votes:3
Average:6.67
msg# 1.1.1.1.1
Quote:
TopKnot wrotes:
Understand your dislike of of WYSIWYG editors.
I dislike WYSIWYG editors?
Why?
This is called "vertical reading" in Japanese
You can find the articles easily.
http://xoops.peak.ne.jp/md/mydownloads/singlefile.php?cid=3&lid=93And I'm developping "pico".
This module supports WYSIWYG editors (common/spaw and common/fckeditor).
Just a difference.
- a module posted by un-trusted users usually
- a module posted by trusted users only
Quote:
Question: Where is the proper place to post questions about MyAlbum....here or on dev.xoops? I've become accustomed to posting to both places as usually only one site is monitored in most cases.
Let me know if I should cross post to the dev.xoops site on this matter.
You can post any query into any place
But I -GIJOE- support my modules in this site only.
At least I'll never visit dev.xoops.org because I don't favor xoops.org over xoopscube.org. Of course, I don't favor xoopscube.org over xoops.org
Votes:9
Average:8.89
msg# 1.1.1.2.1
Quote:
I cannot understand it.
What's the evil?
German humour, hard to understand...
Maybe you have a bit time to give me deeper knowledge. The big question is: if html is allowed, HOW it will be injected? Just by adding script-code into the wysiwyg-editor window? In this case tinymce will escape it. Let's assume you are allowed to switch to html-view. There of course you can add script-code. This time the script portion will be stripped, because it is not on the whitelist.
Maybe you want to have a look at
http://tinymce.moxiecode.com/example_full.php?example=true and try to add a form or a script.
This is what I meant with client-side sanitizing.
Votes:2
Average:10.00
msg# 1.1.1.2.1.1
Quote:
frankblack wrotes:
The big question is: if html is allowed, HOW it will be injected? Just by adding script-code into the wysiwyg-editor window?
You should learn POST data is independent from "form" (wysiwyg-editor window) completely.
Attackers can post malicious codes even via telnet.
Votes:9
Average:10.00
msg# 1.1.1.2.1.1.1
hi TopKnot, frankblack and GIJOE.
i have been long looking for an "quick-and-safe" way to use wysiwyg editors on xoops.
this example heavily inspired me, and i cannot help sharing this small discovery with all xoopsers.
i hope i could show the right example, at the right place.
may the XOOPS be with you.
Votes:2
Average:5.00
msg# 1.1.1.2.1.1.1.1
hi yosha_01.
I knew such a kind of WYSIWYG Editor.
But it is pitty because of just a business license.
If the editor you introduced has free license, it will be a good news for XOOPS world.
I still insist that allowing HTML is not a good way, now and then.
Votes:1
Average:10.00
msg# 1.1.1.2.1.1.1.1.1
hi GIJOE, thank you for your attention.
[licence]
as far as i know,
TinyMCE Editor is distributed under LGPL (click here).
there may be some problems with old XOOPS, but seems fine with XOOPS_CUBE.
[security]
the example editor i have shown above (click here) doesn't send raw "html", but "bbcode" to your server.
this means, you can use your current "bbcode" parser to filter user-posted-malicious-data, and rebuild clean html (with no hassle) on your server.
that's why i thought this editor is a good solution for xoopsers.
# i leant about web application security from your great book.i hope i am a good student
if i have a chance to use WYSIWYG editor with XOOPS. i bet i use this one.
i hope you like it
may the XOOPS be with you.
Votes:3
Average:10.00
msg# 1.2
This is a reference post. I wanted html in my Myalbum photo descriptions. You can easily do this in your templates. Go to myalbum_photo.html and myalbum_photo_in_list.html via Xoops admin - Templates (or better yet: Altsys
) and change this
to this
<{$photo.description|html_entity_decode}>
There's probably a way to do this in php too, but this is fast and doesn't let you mess the code
Votes:4
Average:10.00