- Posts: 5
COMMUNITY FORUM
Eneble HTML on comment
- Septdir
-
Topic Author
- Offline
- New Member
Less
More
9 years 6 months ago - 9 years 6 months ago #148780
by Septdir
Eneble HTML on comment was created by Septdir
There was a challenge to the ability to use html in the comments.
Just started the process on the results will unsubscribe here. If someone has a solution would be very grateful. I need an option I need a hack where and what to change
1. /administrator/components/com_k2/tables/k2comment.phpto
2.
/media/k2/assets/js/k2.js
case 'comments': - I'm not good at JS leave for later
3. Disable Convert URLs to links properly
/components/com_k2/views/item/view.raw.php
DELETE
Farther I found. With admin panel html not thirst. But what to do next I do not know
Just started the process on the results will unsubscribe here. If someone has a solution would be very grateful. I need an option I need a hack where and what to change
1. /administrator/components/com_k2/tables/k2comment.php
$this->commentText = JString::trim($this->commentText);$this->commentText = $this->commentText;2.
/media/k2/assets/js/k2.js
case 'comments': - I'm not good at JS leave for later
3. Disable Convert URLs to links properly
/components/com_k2/views/item/view.raw.php
DELETE
// Convert URLs to links properly
$comments[$i]->commentText = preg_replace("/([^\w\/])(www\.[a-z0-9\-]+\.[a-z0-9\-]+)/i", "$1http://$2", $comments[$i]->commentText);
$comments[$i]->commentText = preg_replace("/([\w]+:\/\/[\w-?&;#~=\.\/\@]+[\w\/])/i", "<a target=\"_blank\" rel=\"nofollow\" href=\"$1\">$1</A>", $comments[$i]->commentText);
$comments[$i]->commentText = preg_replace("/([\w-?&;#~=\.\/]+\@(\[?)[a-zA-Z0-9\-\.]+\.([a-zA-Z]{2,3}|[0-9]{1,3})(\]?))/i", "<a href=\"mailto:$1\">$1</A>", $comments[$i]->commentText);Farther I found. With admin panel html not thirst. But what to do next I do not know
Last edit: 9 years 6 months ago by Septdir.
Please Log in or Create an account to join the conversation.
- Krikor Boghossian
-
- User
Less
More
9 years 5 months ago #148808
by Krikor Boghossian
Replied by Krikor Boghossian on topic Eneble HTML on comment
Enabling all tags can lead to potential security issues.
It leaves your site vulnerable to xss attacks
This is where the tags are being stripped.
github.com/joomlaworks/k2/blob/master/components/com_k2/models/item.php#L1140-L1141
You can look at php.net/manual/en/function.strip-tags.php to ensure only certain tags are allowed.
It leaves your site vulnerable to xss attacks
This is where the tags are being stripped.
github.com/joomlaworks/k2/blob/master/components/com_k2/models/item.php#L1140-L1141
You can look at php.net/manual/en/function.strip-tags.php to ensure only certain tags are allowed.
Please Log in or Create an account to join the conversation.
- Septdir
-
- Offline
- New Member
Less
More
- Posts: 5
9 years 5 months ago - 9 years 5 months ago #148833
by Septdir
for example $ row-> commentText = strip_tags ($ row-> commentText, '<div> <p> <strong>');
nor any result
I know that the inclusion of html is a threat to security. but at the moment the task to include all html tags in comments and I would not give up the full guide
Replied by Septdir on topic Eneble HTML on comment
This I have tried from the beginning. considering it would be the best solutionKrikor wrote: Enabling all tags can lead to potential security issues.
It leaves your site vulnerable to xss attacks
This is where the tags are being stripped.
github.com/joomlaworks/k2/blob/master/components/com_k2/models/item.php#L1140-L1141
You can look at php.net/manual/en/function.strip-tags.php to ensure only certain tags are allowed.
for example $ row-> commentText = strip_tags ($ row-> commentText, '<div> <p> <strong>');
nor any result
I know that the inclusion of html is a threat to security. but at the moment the task to include all html tags in comments and I would not give up the full guide
Last edit: 9 years 5 months ago by Septdir.
Please Log in or Create an account to join the conversation.
- Michael Gulyaev
-
- Offline
- New Member
Less
More
- Posts: 9
9 years 3 months ago #150592
by Michael Gulyaev
Krikor, I have the same problem. I wrote here
as you said. But there is no effect.
I wrote these lines there:
But when I write in the comments such as <a href="gmail.com>gmail</a> in the comment I see only gmail without tags <a> and </a>. The same with tags <b> and <i>.
May be You can give advice another method or may be it not enough to change only two lines in code?
Thanks!
Replied by Michael Gulyaev on topic Eneble HTML on comment
Krikor wrote: Enabling all tags can lead to potential security issues.
It leaves your site vulnerable to xss attacks
This is where the tags are being stripped.
github.com/joomlaworks/k2/blob/master/components/com_k2/models/item.php#L1140-L1141
You can look at php.net/manual/en/function.strip-tags.php to ensure only certain tags are allowed.
Krikor, I have the same problem. I wrote here
https://github.com/joomlaworks/k2/blob/master/components/com_k2/models/item.php#L1140-L1141as you said. But there is no effect.
I wrote these lines there:
$row->commentText = JRequest::getString('commentText', '', 'default');
$row->commentText = strip_tags($row->commentText, '<a><b><i>');But when I write in the comments such as <a href="gmail.com>gmail</a> in the comment I see only gmail without tags <a> and </a>. The same with tags <b> and <i>.
May be You can give advice another method or may be it not enough to change only two lines in code?
Thanks!
Please Log in or Create an account to join the conversation.