#7 Javascript/Flash Hack

open
nobody
None
5
2004-09-07
2004-08-02
Eloi George
No

Author: Eloi George <eloi@NOSPAM.bygeorgeware.com>
Version: 4
Updated: 8/31/2004
--------------------------------------------------

This code is ready for inclusion in the current Release
Candidate (0.9.3.4).

It has been in general use since February and is
bug-free. Below is a description of what the code
does. The included .tar.gz contains both the updated
.php files and corresponding unified diff files with
extensions of .diff.txt. The basecode is current as of
Friday's (8/31/04) Daily CVS Tarball.

Javascript/Flash Hack

/conf/textSettings.php now has an extra variable called
$allowed_extra_tags that holds tags that can only be
used by authorized admins. These users are authorized
by allowing them to "Use Extended HTML Tags" in the
user "Module Rights" screen.

As singletrack pointed out this weekend, if you want to
restrict your users to bbCode (or WikiTax), while
allowing your admins to still enter HTML tags, you can
just move all the tags from the first level to the second.

It's also been called the "Javascript/Flash Hack"
because changes have been made to the parser to allow
executable Javascript/Flash code to be entered by
authorized users.

Dieties can now use any tag they please -- nothing will
get stripped. You are finally truly omnipotent!

Discussion

  • Eloi George
    Eloi George
    2004-08-02

    Patch files for Javascript/Flash Hack

     
    Attachments
  • Mike Noyes
    Mike Noyes
    2004-09-07

    • labels: 531662 -->
     
  • sharon renshaw
    sharon renshaw
    2004-10-29

    Logged In: YES
    user_id=656822

    I'm wondering if this would be helpful in the case of comment
    spammers. You could remove the "<a>" tag?

    I haven't gotten any comment spammers yet but I'd like to
    have a plan before I get marked. :)

     
  • Eloi George
    Eloi George
    2004-11-04

    Logged In: YES
    user_id=619893

    You could move the "<a>" tag from $allowed_tags to
    $allowed_extra_tags.

    This would make it so that only authorized admins can use
    the "<a>" tag.