You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 308 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
How to allow special HTML tags

16.1. How to allow special HTML tags

User input is checked and filtered automatically by PHP-Nuke. For this purpose the functions filter_text and check_html are used. filter_text checks and replaces bad words, then calls check_html, which in turn checks for HTML tags and strips them completely off, if the second parameter is "nohtml".

Table 16-1 shows all modules that call filter_text, together with the line the call is made on. You can see that filter_text is used to filter

  • the text of a mail response in the WebMail module

  • the comments in the News module

  • the comments in the Reviews module

  • the subject, story and extended story text in the Submit_News module

  • the subject and comments in the Surveys module

  • the username and message in the Your_Account module

Table 16-1. Calls to filter_text from PHP-Nuke modules (v.6.8)

Module

Line with call to filter_text

modules/WebMail/readmail.php

$res = filter_text($res); // Security fix by Ulf Harnhammar 2002

modules/News/comments.php

$comment = FixQuotes(nl2br(filter_text($comment)));

modules/News/comments.php

$subject = FixQuotes(filter_text($subject, "nohtml"));

modules/News/comments.php

$comment = FixQuotes(filter_text($comment));

modules/Reviews/index.php

$comments = FixQuotes(nl2br(filter_text($comments)));

modules/Submit_News/index.php

$subject = FixQuotes(filter_text($subject, "nohtml"));

modules/Submit_News/index.php

$story = FixQuotes(nl2br(filter_text($story)));

modules/Submit_News/index.php

$storyext = FixQuotes(nl2br(filter_text($storyext)));

modules/Submit_News/index.php

$story = FixQuotes(filter_text($story));

modules/Submit_News/index.php

$storyext = FixQuotes(filter_text($storyext));

modules/Surveys/comments.php

$subject = FixQuotes(filter_text($subject, "nohtml"));

modules/Surveys/comments.php

$comment = FixQuotes(nl2br(filter_text($comment)));

modules/Surveys/comments.php

$comment = FixQuotes(filter_text($comment));

modules/Your_Account/index.php

filter_text($username);

modules/Your_Account/index.php

if ($bio) { filter_text($bio); $bio = $EditedMessage; $bio = FixQuotes($bio); }

modules/Your_Account/index.php

$the_message = FixQuotes(filter_text($the_message, "nohtml"));



check_html, in turn, is not only called from filter_text, but also in its own right. Table 16-2 shows all modules that call check_html and the line it is called on. You can see that check_html is called to check the HTML input in

  • the query string in the Downloads, Encyclopedia, Web Links and Search sections

  • the title, text, reviewer, URL text and comments in the Reviews module

  • user name, e-mail, various user info fields in the Your Account module

  • bodytext and comments in the Journal module

Table 16-2. Calls to check_html from PHP-Nuke modules (v.6.8)

Module

Line with call to filter_text

modules/Downloads/index.php

$query = check_html($query, nohtml);

modules/Encyclopedia/search.php

$query = check_html($query, nohtml);

modules/Encyclopedia/search.php

$query = check_html($query, nohtml);

modules/Reviews/index.php

$title = stripslashes(check_html($title, "nohtml"));

modules/Reviews/index.php

$text = stripslashes(check_html($text, ""));

modules/Reviews/index.php

$reviewer = stripslashes(check_html($reviewer, "nohtml"));

modules/Reviews/index.php

$url_title = stripslashes(check_html($url_title, "nohtml"));

modules/Reviews/index.php

$title = stripslashes(FixQuotes(check_html($title, "nohtml")));

modules/Reviews/index.php

$text = stripslashes(Fixquotes(urldecode(check_html($text, ""))));

modules/Reviews/index.php

$comments = stripslashes(FixQuotes(check_html($comments)));

modules/Search/index.php

$query = stripslashes(check_html($query, nohtml));

modules/Web_Links/index.php

$query = check_html($query, nohtml);

modules/Your_Account/index.php

$username = check_html($username, nohtml);

modules/Your_Account/index.php

$user_email = check_html($user_email, nohtml);

modules/Your_Account/index.php

$user_email = check_html($user_email, nohtml);

modules/Your_Account/index.php

$femail = check_html($femail, nohtml);

modules/Your_Account/index.php

$user_website = check_html($user_website, nohtml);

modules/Your_Account/index.php

$bio = check_html($bio, nohtml);

modules/Your_Account/index.php

$user_avatar = check_html($user_avatar, nohtml);

modules/Your_Account/index.php

$user_icq = check_html($user_icq, nohtml);

modules/Your_Account/index.php

$user_aim = check_html($user_aim, nohtml);

modules/Your_Account/index.php

$user_yim = check_html($user_yim, nohtml);

modules/Your_Account/index.php

$user_msnm = check_html($user_msnm, nohtml);

modules/Your_Account/index.php

$user_occ = check_html($user_occ, nohtml);

modules/Your_Account/index.php

$user_from = check_html($user_from, nohtml);

modules/Your_Account/index.php

$user_interests = check_html($user_interests, nohtml);

modules/Your_Account/index.php

$realname = check_html($realname, nohtml);

modules/Journal/display.php

$row[bodytext]=check_html($row[bodytext], $strip);

modules/Journal/display.php

$row[comment]=check_html($row[comment], $strip);



check_html uses the $AllowableHTML array that is defined in config.php. The idea is that only the tags that are included in the $AllowableHTML array should be allowed. However, even if you explicitly allow the img tag in $AllowableHTML, it will be stripped away by check_html (and by filter_text, which also calls it). The line that does this is

$str = eregi_replace("<[[:space:]]* img[[:space:]]*([^>]*)[[:space:]]*>", ", $str);

You can comment out that line - though it is certainly a security issue (allowing people to post harmful code in img tags).

You can also comment out the line that eliminates all anchor attributes exept href in the <a> tag:

$str = eregi_replace("<a[^>]*href[[:space:]]*=[[:space:]]*\"?[[:space:]]*([^\" >]*)[[:space:]]*\"?[^>]*>", '<a href="\\1">', $str); # "

These changes will affect the checks done at all places shown in both Table 16-1 and Table 16-2, so again, be careful with security issues. You have to trust your users to give them this comfort.

Put the tags you want to allow in the $AllowableHTML array in the config.php file. Here is a (quite liberal) example:

$AllowableHTML = array("b"=>1,
         "i"=>1,
         "a"=>2,
         "em"=>1,
         "br"=>1,
         "strong"=>1,
         "blockquote"=>1,
         "tt"=>1,
         "li"=>1,
         "ol"=>1,
         "H1"=>1,
         "H2"=>1,
         "H3"=>1,
         "H4"=>1,
         "center"=>1,
         "img"=>2,
         "alt"=>1,
         "table"=>2,
         "tr"=>2,
         "td"=>2,
         "p"=>2,
         "div"=>2,
         "font"=>2,
         "p"=>1,
         "p"=>1,
         "ul"=>1);

The numbers that appear next to each tag have the following meaning:

  • a 1 means the tag does not accept any attributes

  • a 2 indicates that the tag may also contain attributes

See also Section 3.7.

Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.025 Seconds - 368 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::