IngegneriConLePalle.com - Il sito degli Studenti della Facoltà di Ingegneria di Forlì

Login o Registrare

Promotions

Online Chat

Vuoi cambiar Nome?!
/n tuonome cambia nick

Scegli la Tua Chat

Mobile	Fissa
Popup	Off

Menu

Utenti

	Il tuo profilo
	Lista Membri
	Blog Utenti
	Firma il Guestbook!
	Contatta Web Master
	Passaparola!!!!

Community

	Galleria Foto
	Salagiochi
	Forums
	Messaggi Privati
	Cruciverba
	Sudoku
	WebChat
	Calendario Eventi
	Torneo Fantacalcio
	Documenti

Risorse

	Downloads
	Loghi x Cellulari
	Web Links
	Barzellette
	Cerca nel Sito

Documenti

	Argomenti
	News
	Aggiungi News
	Digital-Sat News
	AvantGo

Servizi

	Previsioni Meteo
	Elenco Telefonico
	Video Musicali
	Radio Streaming
	Serata in TV
	Stradario d'Italia
	GoogleMaps

Utilità

	Php-Nuke Tools
	GUIstuff+
	Multi Search Engine
	Codice Fiscale
	Underground Search
	Submit Engines
	Open Directory
	PHP-Nuke HOWTO

Statistiche

	Statistiche del Sito
	Analysis
	Top 10

Inverno 2005

	Bollettino Neve
	WebCam Neve

	RSS Articoli 0.91
	RSS Articoli 2.0
	RSS Downloads 0.91
	RSS Downloads 2.0
	RSS Links 0.91
	RSS Links 2.0
	RSS Forums 0.91
	RSS Forums 2.0
	RSS Calendario 0.91
	RSS Calendario 2.0
	ATOM Articoli 0.3

Spambot Killer

Promotions

Security
We have caught 1656 shameful hackers. NukeSentinel™ 2.5.17

How to allow special HTML tags

PHP-Nuke: Management and Programming
Prev	Chapter 16. Modifying mainfile.php	Next

16.1. How to allow special HTML tags

User input is checked and filtered automatically by PHP-Nuke. For this purpose the functions filter_text and check_html are used. filter_text checks and replaces bad words, then calls check_html, which in turn checks for HTML tags and strips them completely off, if the second parameter is "nohtml".

Table 16-1 shows all modules that call filter_text, together with the line the call is made on. You can see that filter_text is used to filter

the text of a mail response in the WebMail module
the comments in the News module
the comments in the Reviews module
the subject, story and extended story text in the Submit_News module
the subject and comments in the Surveys module
the username and message in the Your_Account module

Table 16-1. Calls to filter_text from PHP-Nuke modules (v.6.8)

Module	Line with call to filter_text
modules/WebMail/readmail.php	$res = filter_text($res); // Security fix by Ulf Harnhammar 2002
modules/News/comments.php	$comment = FixQuotes(nl2br(filter_text($comment)));
modules/News/comments.php	$subject = FixQuotes(filter_text($subject, "nohtml"));
modules/News/comments.php	$comment = FixQuotes(filter_text($comment));
modules/Reviews/index.php	$comments = FixQuotes(nl2br(filter_text($comments)));
modules/Submit_News/index.php	$subject = FixQuotes(filter_text($subject, "nohtml"));
modules/Submit_News/index.php	$story = FixQuotes(nl2br(filter_text($story)));
modules/Submit_News/index.php	$storyext = FixQuotes(nl2br(filter_text($storyext)));
modules/Submit_News/index.php	$story = FixQuotes(filter_text($story));
modules/Submit_News/index.php	$storyext = FixQuotes(filter_text($storyext));
modules/Surveys/comments.php	$subject = FixQuotes(filter_text($subject, "nohtml"));
modules/Surveys/comments.php	$comment = FixQuotes(nl2br(filter_text($comment)));
modules/Surveys/comments.php	$comment = FixQuotes(filter_text($comment));
modules/Your_Account/index.php	filter_text($username);
modules/Your_Account/index.php	if ($bio) { filter_text($bio); $bio = $EditedMessage; $bio = FixQuotes($bio); }
modules/Your_Account/index.php	$the_message = FixQuotes(filter_text($the_message, "nohtml"));

check_html, in turn, is not only called from filter_text, but also in its own right. Table 16-2 shows all modules that call check_html and the line it is called on. You can see that check_html is called to check the HTML input in

the query string in the Downloads, Encyclopedia, Web Links and Search sections
the title, text, reviewer, URL text and comments in the Reviews module
user name, e-mail, various user info fields in the Your Account module
bodytext and comments in the Journal module

Table 16-2. Calls to check_html from PHP-Nuke modules (v.6.8)

Module	Line with call to filter_text
modules/Downloads/index.php	$query = check_html($query, nohtml);
modules/Encyclopedia/search.php	$query = check_html($query, nohtml);
modules/Encyclopedia/search.php	$query = check_html($query, nohtml);
modules/Reviews/index.php	$title = stripslashes(check_html($title, "nohtml"));
modules/Reviews/index.php	$text = stripslashes(check_html($text, ""));
modules/Reviews/index.php	$reviewer = stripslashes(check_html($reviewer, "nohtml"));
modules/Reviews/index.php	$url_title = stripslashes(check_html($url_title, "nohtml"));
modules/Reviews/index.php	$title = stripslashes(FixQuotes(check_html($title, "nohtml")));
modules/Reviews/index.php	$text = stripslashes(Fixquotes(urldecode(check_html($text, ""))));
modules/Reviews/index.php	$comments = stripslashes(FixQuotes(check_html($comments)));
modules/Search/index.php	$query = stripslashes(check_html($query, nohtml));
modules/Web_Links/index.php	$query = check_html($query, nohtml);
modules/Your_Account/index.php	$username = check_html($username, nohtml);
modules/Your_Account/index.php	$user_email = check_html($user_email, nohtml);
modules/Your_Account/index.php	$user_email = check_html($user_email, nohtml);
modules/Your_Account/index.php	$femail = check_html($femail, nohtml);
modules/Your_Account/index.php	$user_website = check_html($user_website, nohtml);
modules/Your_Account/index.php	$bio = check_html($bio, nohtml);
modules/Your_Account/index.php	$user_avatar = check_html($user_avatar, nohtml);
modules/Your_Account/index.php	$user_icq = check_html($user_icq, nohtml);
modules/Your_Account/index.php	$user_aim = check_html($user_aim, nohtml);
modules/Your_Account/index.php	$user_yim = check_html($user_yim, nohtml);
modules/Your_Account/index.php	$user_msnm = check_html($user_msnm, nohtml);
modules/Your_Account/index.php	$user_occ = check_html($user_occ, nohtml);
modules/Your_Account/index.php	$user_from = check_html($user_from, nohtml);
modules/Your_Account/index.php	$user_interests = check_html($user_interests, nohtml);
modules/Your_Account/index.php	$realname = check_html($realname, nohtml);
modules/Journal/display.php	$row[bodytext]=check_html($row[bodytext], $strip);
modules/Journal/display.php	$row[comment]=check_html($row[comment], $strip);

check_html uses the $AllowableHTML array that is defined in config.php. The idea is that only the tags that are included in the $AllowableHTML array should be allowed. However, even if you explicitly allow the img tag in $AllowableHTML, it will be stripped away by check_html (and by filter_text, which also calls it). The line that does this is

$str = eregi_replace("<[[:space:]]* img[[:space:]]*([^>]*)[[:space:]]*>", ", $str);

You can comment out that line - though it is certainly a security issue (allowing people to post harmful code in img tags).

You can also comment out the line that eliminates all anchor attributes exept href in the <a> tag:

$str = eregi_replace("<a[^>]*href[[:space:]]*=[[:space:]]*\"?[[:space:]]*([^\" >]*)[[:space:]]*\"?[^>]*>", '<a href="\\1">', $str); # "

These changes will affect the checks done at all places shown in both Table 16-1 and Table 16-2, so again, be careful with security issues. You have to trust your users to give them this comfort.

Put the tags you want to allow in the $AllowableHTML array in the config.php file. Here is a (quite liberal) example:

$AllowableHTML = array("b"=>1,
         "i"=>1,
         "a"=>2,
         "em"=>1,
         "br"=>1,
         "strong"=>1,
         "blockquote"=>1,
         "tt"=>1,
         "li"=>1,
         "ol"=>1,
         "H1"=>1,
         "H2"=>1,
         "H3"=>1,
         "H4"=>1,
         "center"=>1,
         "img"=>2,
         "alt"=>1,
         "table"=>2,
         "tr"=>2,
         "td"=>2,
         "p"=>2,
         "div"=>2,
         "font"=>2,
         "p"=>1,
         "p"=>1,
         "ul"=>1);

The numbers that appear next to each tag have the following meaning:

a 1 means the tag does not accept any attributes
a 2 indicates that the tag may also contain attributes

See also Section 3.7.

Prev	Home	Next
Modifying mainfile.php	Up	How to change the order of messages

Help us make a better PHP-Nuke HOWTO!

Want to contribute to this HOWTO? Have a suggestion or a solution to a problem that was not treated here? Post your comments on my PHP-Nuke Forum!

Chris Karakas, Maintainer PHP-Nuke HOWTO

.:: WebMaster Ing. Francesco Feruzzi :: ©2005 IngegneriConLePalle.com :: Regolamento ::.
Generazione pagina: 0.77 Secondi

Creative Commons License

Eccetto dove diversamente specificato, i contenuti di questo sito sono rilasciati sotto Licenza Creative Commons Attribuzione 2.5.

SEO Stats powered by MyPagerank.Net