#1545 <object>'s stripped out even from html_pages

v1.8.3
closed-duplicate
nobody
5
2004-08-26
2004-07-08
No

A designer tried to link to a flash movie from our test
1.8.3 site, using the following code:

<object
classid="clsid:D27CDB6E-AE6D-11CF-96B8-444553540000"
codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=5,0,0,0"
width="400" height="250">
<param name="movie"
value="http://www.fuerth.de/de/panorama/panorama.swf">
<param name="quality" value="high">
<embed
src="http://www.fuerth.de/de/panorama/panorama.swf"
quality="high" bgcolor="#FFFFFF" width="400"
height="250" type="application/x-shockwave-flash"
pluginspage="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash">

</object>

On previewing or saving, the <object>, <embed> and
</object> tags disapper, leaving only the <param> tags.

This happens not only in the article editor, but even
in the HTML page editor.

Discussion

  • David R. Newman

    David R. Newman - 2004-07-08

    Logged In: YES
    user_id=670235

    Updating this item for category / group / subject line or other
    data. No real change to the item, just house-keeping.

     
  • David R. Newman

    David R. Newman - 2004-07-08

    Logged In: YES
    user_id=670235

    I've tracked this down to the so-called XSS-type attacks
    section in tiki-setup_base.php. It strips out all scripts,
    objects, embeds and applets.

    Since objects and embeds are important parts of modern web
    sites, where we use Flash movies, this should not be done in
    a modern CMS: at least not here, where it is applied to all
    input. It should certainly not apply to HTML pages.

    On my sites, I've no longer make_clean $_POST variables.

    If you are going to remove such HTML, do it only at the
    stage when you are sure someone is NOT editing an HTML page
    (or a wiki page or article with 'Use HTML' selected). Then
    the range of HTML tags accepted can be an administration option.

     
  • Damian Parker

    Damian Parker - 2004-08-26

    Logged In: YES
    user_id=458483

    It has to be done to prevent me from gaining complete
    control of your TikiWiki site! :)

    Use WikiPlugin PluginFlash.

    Enjoy.

     
  • Damian Parker

    Damian Parker - 2004-08-26
    • status: open --> pending-later
     
  • Damian Parker

    Damian Parker - 2004-08-26
    • status: pending-later --> closed-duplicate
     
  • Damian Parker

    Damian Parker - 2004-08-26

    Logged In: YES
    user_id=458483

    It has to be done to prevent me from gaining complete
    control of your TikiWiki site! :)

    Use WikiPlugin PluginFlash.

    This is also reported elsewhere, closing this one.

    Enjoy.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks