In the on going battle against spam event entries, I've noticed that
people are able to enter html code in the description field even though
the systems settings are set to "No" for that setting.
------------
System Settings
PROGRAM_NAME : WebCalendar v1.0.4 (07 Jun 2006)
SERVER_SOFTWARE : Apache/2.0.54 (Debian GNU/Linux) PHP/
4.4.2-1.1 mod_ssl/2.0.54 OpenSSL/0.9.7e mod_webkit2/0.5
Web Browser : Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en)
AppleWebKit/418.8 (KHTML, like Gecko) Safari/419.3
db_type : mysql
readonly : N
single_user : N
single_user_login :
use_http_auth : false
user_inc : user.php
LANGUAGE : English-US
demo_mode : N
require_approvals : Y
groups_enabled : N
user_sees_only_his_groups: N
categories_enabled : N
allow_conflicts : Y
conflict_repeat_months : 6
disable_priority_field : Y
disable_access_field : Y
disable_participants_field: Y
disable_repeating_field : N
allow_view_other : Y
email_fallback_from : webmaster@mennonitechurch.ca
remember_last_login : Y
allow_color_customization: Y
BGCOLOR : #FFFFFF
H2COLOR : #000000
CELLBG : #76E1C3
WEEKENDBG : #A0F0CF
TABLEBG : #000000
THBG : #FFFFFF
THFG : #000000
POPUP_FG : #000000
POPUP_BG : #FFFFFF
TODAYCELLBG : #B4FFD2
WEEK_START : 0
TIME_FORMAT : 12
DISPLAY_UNAPPROVED : N
DISPLAY_WEEKNUMBER : N
WORK_DAY_START_HOUR : 2
WORK_DAY_END_HOUR : 23
send_email : N
EMAIL_REMINDER : N
EMAIL_EVENT_ADDED : N
EMAIL_EVENT_UPDATED : N
EMAIL_EVENT_DELETED : N
EMAIL_EVENT_REJECTED : N
server_url : http://www.mennonitechurch.ca/mc-
cwebcalendar/
FONTS : Arial, Helvetica, sans-serif
STARTVIEW : month.php
DISPLAY_WEEKENDS : Y
DATE_FORMAT : __month__ __dd__, __yyyy__
DATE_FORMAT_MY : __month__ __yyyy__
DATE_FORMAT_MD : __month__ __dd__
TIME_SLOTS : 48
auto_refresh : N
auto_refresh_time : 0
public_access : Y
public_access_others : N
public_access_can_add : Y
public_access_add_needs_approval: Y
add_link_in_views : Y
allow_external_users : N
external_notifications : N
external_reminders : N
allow_conflict_override : N
limit_appts : N
nonuser_enabled : N
nonuser_at_top : N
reports_enabled : N
PUBLISH_ENABLED : N
CUSTOM_SCRIPT : N
CUSTOM_HEADER : Y
CUSTOM_TRAILER : Y
bold_days_in_year : N
DISPLAY_DESC_PRINT_DAY : N
site_extras_in_popup : Y
allow_html_description : N
TIMED_EVT_LEN : D
public_access_default_visible: Y
public_access_default_selected: Y
public_access_view_part : N
enable_gradients : Y
application_name : Webcalendar
Logged In: YES
user_id=1090373
Is you main trouble the html settings, or spam?
Can you give an example of the HTML that is getting through?
-Ray
Logged In: YES
user_id=913916
When in "view_entry.php" the entry looks like this:
cheap phentermine
Description: <a href=http://cheap-phentermine-fx.blogspot.com>cheap phentermine</a> http://cheap-phentermine-fx.blogspot.com
cheap phentermine [url=http://cheap-phentermine-fx.blogspot.com] cheap phentermine [/url]
Date: Saturday, November 11, 2017
Repeat Type: Saturday, November 11, 2017 - Friday, February 31, 2006 (every Month / 2nd Saturday)
Created by: Public Access
Updated: Friday, November 10, 2006 23:07
Event Email: cheapphentermine@hotmail.com
Event Website: http://cheap-phentermine-fx.blogspot.com
Participants:
Logged In: YES
user_id=1090373
Sorry, I guess I should have asked, is the html stored in
your database for this event use '<' or < ?
It looks like they used html entities instead of the
characters that we currently check.
-Ray
Logged In: YES
user_id=913916
Originator: YES
I tested it myself to see:
a) if some one is bypassing the conventional entry method
or
b) if url's can be entered into the Description field using the conventional entry method.
So I went to the "edit_entry.php" page, typed this into the description field:
"This great resource <a href="http://www.mennonitechurch.ca/">MC-Canada</a> [url=http://www.mennonitechurch.ca/]MC-Canada[/url] http://www.mennonitechurch.ca/"
I entered a couple of other bits of informaiton into other fields and clicked "Save"
It was accepted and displayed as an event with html in the Description field! :-(
Grant
Logged In: YES
user_id=14386
Originator: NO
Unfortunately, you are not the first user to encounter this problem. So, I put together a CAPTCHA add-on for WebCalendar 1.0.4. See the following URL:
http://www.k5n.us/webcalendar.php?topic=Add-Ons
This will create a CAPTCHA image at the bottom of the add event form when a public user is attempting to add an event.
Logged In: YES
user_id=1312539
Originator: NO
This Tracker item was closed automatically by the system. It was
previously set to a Pending status, and the original submitter
did not respond within 30 days (the time period specified by
the administrator of this Tracker).