Win a copy of Fixing your Scrum this week in the Agile forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Rob Spoor
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • Junilu Lacar
  • Tim Cooke
Saloon Keepers:
  • Tim Holloway
  • Piet Souris
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
Bartenders:
  • Frits Walraven
  • Himai Minh

disable HTML

 
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It should be possible for administrator to disable <span style="font-size=25px; background-color: red; color: white" onMouseOver="alert('Panic!')">HTML</span> (<-- move mouse over this) for the user/group, since it kinda security flaw i think...
[originally posted on jforum.net by Daniil]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Indeed.

Ideas of how can we solve this? I mean, there is a need to write a message parser to handle this situation.. ( or kinda ).

Rafael
[originally posted on jforum.net by Rafael Steil]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Parse HTML and allow only the "safe" tags is pretty difficult indeed, but at first we just need an option to completely disallow selected users/groups (in case of groups, with "override user values") to use HTML.

In the posting page, the checkbox "disable HTML in this message" is working correct, we just need a way to force it (and allow trusted users/groups like Administrators and/or Moderators to still use HTML if they want).

Btw, there's a kind of a bug in the [ quote ] and [/ quote ] bbtags handling, I think you know what I'm talking about, but I have no idea of easily fixing this one since quotes are perfectly valid to be nested (I can only suggest to generate a fixed-depth regexp, but it's better to look into the phpBB code to take a hint on how they did this). In a phpBB, if I let a [/ quote ] tag alone, with no matching [ quote ], it will be displayed as-is (and won't break the forum layout, hehe ).
[originally posted on jforum.net by Daniil]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Daniil wrote:
Btw, there's a kind of a bug in the [ quote ] and [/ quote ] bbtags handling, I think you know what I'm talking about, but I have no idea of easily fixing this one since quotes are perfectly valid to be nested (I can only suggest to generate a fixed-depth regexp, but it's better to look into the phpBB code to take a hint on how they did this). In a phpBB, if I let a [/ quote ] tag alone, with no matching [ quote ], it will be displayed as-is (and won't break the forum layout, hehe ).



hhmm.. this shouldn't occur anymore.. but I admit I have not tested too much.. phpbb does so much code to process the bb stuf ( about 600 lines ).. I know I can do with much less ( and indeed I do ).. its just a bit complicated to test all possible cases :?
The current code is more complex than I intended to, but is not *that* hard.. If you wanna see, is the "preparePost" method in PostVH.java file.. ;)

Rafael
[originally posted on jforum.net by Rafael Steil]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Rafael Steil wrote:The current code is more complex than I intended to, but is not *that* hard.. If you wanna see, is the "preparePost" method in PostVH.java file.. ;)


I've liked the fact that the largest part of code goes under comment "little hacks" :P

Anyway, it would be cool to disable HTML. Will you do it pleeease?
[originally posted on jforum.net by Daniil]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes sir

I'm very busy in the last few days, because stuff in my real job. I wish I could back coding jforum this weekend.

Rafael
[originally posted on jforum.net by Rafael Steil]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks

Maybe I could do it myself, i'll try tomorrow if I'll have time. At the moment I'm looking at the regexp stuff trying to figure out a possible better ways to handle bbcode and my mind goes mad ;]

2:38 here, probably some sleep can help ;) Happy weekend!
[originally posted on jforum.net by Daniil]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Registered at JIRA as JF-10
[originally posted on jforum.net by smota]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Rafael Steil wrote:Indeed.

Ideas of how can we solve this? I mean, there is a need to write a message parser to handle this situation.. ( or kinda ).



Rafael, I saw this thingie on freshmeat tonight:

http://freshmeat.net/releases/161504/

I think it's coded in C, but still, just for info.

SafeHTML 1.1.0
by kukutz - Sunday, May 23rd 2004 09:52 PDT

About: SafeHTML strips down all potentially dangerous content within HTML: opening tags without closing tags, closing tags without opening tags, a whole slew of other tags (�base�, �basefont�, �head�, �html�, etc.), some attributes (on*, data*, dynsrc, javascript:/vbscript:/about:, etc.), protocols, expression/behavior etc. in styles, and any other active content.
[originally posted on jforum.net by Daniil]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It is written in PHP.. the code is quite simple, as it uses a lot of regexp.

I'm finishing private messages and postgresql support.. most of the work is done, and is available in the CVS. I'm not sure if I will achieve to finish all pending features by RC4, so help is appreciated

Rafael
[originally posted on jforum.net by Rafael Steil]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I was trying to redo bbcode processing, but right now I'm kinda busy at high school...
[originally posted on jforum.net by Daniil]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
PS, about that HTML stripper - I didn't look into the code myself, just supposed it's written in C because I've misslooked the mention of the programming language in project details
[originally posted on jforum.net by Daniil]
 
Proudly marching to the beat of a different kettle of fish... while reading this tiny ad
the value of filler advertising in 2021
https://coderanch.com/t/730886/filler-advertising
reply
    Bookmark Topic Watch Topic
  • New Topic