Hello,
First post here. We have the "Transforms HTML for comments" as the first plugin in the "Active" column under "Event Plugins". It has "All Authors" selected.
However the warning "HTML-Tags will be converted to Entities" still appears on the comment form and they are converted. We cannot post images or links in out comments.
Can anyone tell me what I need to do to activate or configure this plugin?
Thanks!
JG
Problems with Event Plugin "Transforms HTML for comment
-
jerrygarciuh
- Posts: 4
- Joined: Sat Dec 01, 2007 5:22 am
-
garvinhicking
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Re: Problems with Event Plugin "Transforms HTML for com
Hi!
That plugin is only there to NOT strip HTML code like <b>Bold</b> from postings. It does NOT render this as HTML code, but is displayed in raw text.
There is no s9y plugin that supports HTML code in comments. This is thought to be a major security risk, thus we don't support it and don't encourage it. Instead, you should use metamarkup like bbcode or textile.
REgards,
Garvin
That plugin is only there to NOT strip HTML code like <b>Bold</b> from postings. It does NOT render this as HTML code, but is displayed in raw text.
There is no s9y plugin that supports HTML code in comments. This is thought to be a major security risk, thus we don't support it and don't encourage it. Instead, you should use metamarkup like bbcode or textile.
REgards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
-
jerrygarciuh
- Posts: 4
- Joined: Sat Dec 01, 2007 5:22 am
Re: Problems with Event Plugin "Transforms HTML for com
Hi Garvin,garvinhicking wrote:Hi!
That plugin is only there to NOT strip HTML code like <b>Bold</b> from postings. It does NOT render this as HTML code, but is displayed in raw text.
There is no s9y plugin that supports HTML code in comments. This is thought to be a major security risk, thus we don't support it and don't encourage it. Instead, you should use metamarkup like bbcode or textile.
REgards,
Garvin
Thank you very much for taking the time to respond to my question!
As you may know the LiveJournal Perl code has managed to allow for HTML in comments while managing to keep out JavaScript and CSS hacks. I know many people consider PHP to be an inherently less secure way of delivering multi-author documents. Is that your opinion also?
JG
-
garvinhicking
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Re: Problems with Event Plugin "Transforms HTML for com
Hi!
I simply have not yet seen a PHP method/function to strip out dangerous HTML. Hacks are always evolving, so I don't really believe in a secure way of allowing HTML.
IMHO it's not a matter of Perl vs. PHP. What can be done in Perl can also be done in PHP.
Are you sure the LJ Perl lib is completely secure? Even against UTF-7 CSS-Injections or <embed>-Tag abuse?
Regards,
Garvin
I simply have not yet seen a PHP method/function to strip out dangerous HTML. Hacks are always evolving, so I don't really believe in a secure way of allowing HTML.
IMHO it's not a matter of Perl vs. PHP. What can be done in Perl can also be done in PHP.
Are you sure the LJ Perl lib is completely secure? Even against UTF-7 CSS-Injections or <embed>-Tag abuse?
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
-
jerrygarciuh
- Posts: 4
- Joined: Sat Dec 01, 2007 5:22 am
Re: Problems with Event Plugin "Transforms HTML for com
Hi Garvin,garvinhicking wrote:Hi!
That plugin is only there to NOT strip HTML code like <b>Bold</b> from postings. It does NOT render this as HTML code, but is displayed in raw text.
There is no s9y plugin that supports HTML code in comments. This is thought to be a major security risk, thus we don't support it and don't encourage it. Instead, you should use metamarkup like bbcode or textile.
REgards,
Garvin
I see mention in various places of the bbcode plugin but a search of http://spartacus.s9y.org/index.php?mode ... s_event_en and http://spartacus.s9y.org/index.php?mode ... sidebar_en
does not show me the plugin.
I have gone over the admin looking for a non-plugin control for this but it does not seem to be present.
Can you advise?
JG
-
garvinhicking
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Re: Problems with Event Plugin "Transforms HTML for com
Hi Jerry!
The BBCode plugin comes with Serendipity by default, no need to download it anywhere. You can install it straight ahead.
HTH,
Garvin
The BBCode plugin comes with Serendipity by default, no need to download it anywhere. You can install it straight ahead.
HTH,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
-
jerrygarciuh
- Posts: 4
- Joined: Sat Dec 01, 2007 5:22 am
Re: Problems with Event Plugin "Transforms HTML for com
Hi Garvin,garvinhicking wrote:Hi Jerry!
The BBCode plugin comes with Serendipity by default, no need to download it anywhere. You can install it straight ahead.
HTH,
Garvin
Thanks for all the help! When I had't seen it in my admin I had done a search for Event plugins and not seen it but now I searched for Markup and foound it.
Really appreciate you having taken time with me!!
Peace
JG
Hey, Garvin. I'm back for a few hours, and I figured I'd make your life miserable. Sorry.
I've always had problems with the "insecure HTML" premise. After all, the real reason BBCode is "secure" is because it does only a subset of what HTML can do. Slashdot allows HTML in its comments; I think we could, too. As long as we restrict it to a subset of HTML.
For instance, I'd allow only a few formatting tags: P, BR, I, B, U, QUOTE, CODE, IMG, UL, OL, and LI. I'd refuse all parameters: no style=, size=, or anything else. I'd make a single special exception to include the A tag, which must have an href.
If anything fails the very simple formatting rules, it gets HTML-escaped, just like the rest of the comment does. No OBJECT, EMBED, or SCRIPT tags allowed. Not to mention DIV and SPAN, which are pretty useless without their class attributes.
Isn't this what BBCode does, but using [] instead of <>? What's so special about the HTML, other than being more pointy?
I've always had problems with the "insecure HTML" premise. After all, the real reason BBCode is "secure" is because it does only a subset of what HTML can do. Slashdot allows HTML in its comments; I think we could, too. As long as we restrict it to a subset of HTML.
For instance, I'd allow only a few formatting tags: P, BR, I, B, U, QUOTE, CODE, IMG, UL, OL, and LI. I'd refuse all parameters: no style=, size=, or anything else. I'd make a single special exception to include the A tag, which must have an href.
If anything fails the very simple formatting rules, it gets HTML-escaped, just like the rest of the comment does. No OBJECT, EMBED, or SCRIPT tags allowed. Not to mention DIV and SPAN, which are pretty useless without their class attributes.
Isn't this what BBCode does, but using [] instead of <>? What's so special about the HTML, other than being more pointy?
-
garvinhicking
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Hi!
They easier allow to make invalid HTML. Imagine if someone enter's "<br>", this must be converted to "<br />". And then, it must also allow "<br />" as an input. Same with "<p>" - it might have a closing "</p>", but people might forget this.
Allowing HTML, even a subset, is like opening Pandora's Box. $0.02.
Regards,
Garvin
They easier allow to make invalid HTML. Imagine if someone enter's "<br>", this must be converted to "<br />". And then, it must also allow "<br />" as an input. Same with "<p>" - it might have a closing "</p>", but people might forget this.
Allowing HTML, even a subset, is like opening Pandora's Box. $0.02.
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/