I've just released d3forum-0.77.
You can use fckxoops with this version.
Perhaps, you've already known forum modules can use WYSIWYG Editors.
But d3forum is far differnt from them because of the security.
If you turn "Enable HTML" on, your post will be filtered HTMLPurifier automatically.
Then, all of JavaScripts will be removed from the post.
I've opened "HTML allowd FORUM" for my experments.
http://xoops.peak.ne.jp/md/d3forum/index.php?forum_id=12
Only with the forum, you can use fckxoops and allow HTML.
Of couse, you can control such detailed settings by forum's option.
Now, I show a practical examples how to use pico's formmail system.
Case 1:
"Implant forms after product presentation pages"
You can easily achive it using pico's smarty plugisn "pico" and "formmail".
Make a content like this. (Turn "Smarty" filter on)
(products introducing section)
<{capture}>
<{pico id="(content ID describing the form)"}>
<{/capture}>
<{formmail4fleamarket mail_body_pre="A query from visitor exists\nContact him/her soon as possible\n\n" from_name="Product manager" cc_field_name="youremail" cc_mail_subject="A confirmation for your query" cc_mail_body_pre="Thank you for querying us.\nThis is the content you have queried\n"}>
<form>
name: <input type="text" name="name" class="required" /><br />
email: <input type="text" name="youremail" class="email" />
<input type="submit" />
</form>
WYSIWYG Editors require "allow HTML" for the system.
But it must invite "Script Insertion" attacks easily.
kentauls told me HTMLPurifier.
http://htmlpurifier.org/
It looks great especially smoketest for XSS.
You should know HTMLPurifier can work with PHP5 only though the documentation tells us that it can work with PHP>=4.3.2.
Anyway, I've included this library into Protector.
You can try "postcommon_post_htmlpurify4guest.php" as protector's filter plugin.
But, it is just a sample.
I'll modify my modules can use HTMLPurifier as necessary by config.
HTMLPurifier allows us "WYSIWYG forum" etc.
In pico-1.52, the spec of formmail system has been fixed.
Then, I'll write example codes.
Look again the skelton.
<{capture}>
<form>
(describe form parts)
</form>
<{/capture}>
<{formmail}>
<{capture}>
<form>
<input type="checkbox" name="Favorite_Fruits" value="Orange" />Orange
<input type="checkbox" name="Favorite_Fruits" value="Apple" />Apple
<input type="checkbox" name="Favorite_Fruits" value="Pear" />Pear
<input type="submit" value="Confirm" />
</form>
<{/capture}>
<{formmail}>
<{capture}>
<form>
<fieldset>
<legend>Favorite Fruits</legend>
<input type="checkbox" name="favorite_fruits" id="favorite_fruits_orange" value="Orange" /><label for="favorite_fruits_orange">Orange</label>
<input type="checkbox" name="favorite_fruits" id="favorite_fruits_apple" value="Apple" /><label for="favorite_fruits_apple">Apple</label>
<input type="checkbox" name="favorite_fruits" id="favorite_fruits_pear" value="Pear" /><label for="favorite_fruits_pear">Pear</label>
</fieldset>
<input type="submit" value="Confirm" />
</form>
<{/capture}>
<{formmail}>
In pico-1.51, the rule for "Form validated by HTML" has been changed radically.
read (1)~(3) again, please.
These are the new rule of the system for HTML designers.
Name of the field
It is "name" attribute.
You can also use linear array by just adding [] after the name.
eg) name="favorite_fruits[]"
Title of the field
The 1st option is <label> corresponding the <input>.
While the 1st option for "checkbox" or "radio" will be <legend> inside <fieldset></fieldset>
2nd option is "title" attribute in the tag.
Last option is "name" attribute in the tag. (same as Name)
essential
Specify it by class attribute.
eg1) <input ... class="required" />
eg2) <input ... class="required int" /> // "int" AND "required"
Type
Specify it by class attribute.
Only a type can be valid.
- int
-- filtered by intval()
- double
-- filtered by doubleval()
- singlebytes
-- filtered by mb_convert_kana( ... , 'as' )
- email
-- checked by RFC2822. an error will be raised if it is invalid.
- telephone
-- characters unused as telephone number will be removed.