Problems with Event Plugin "Transforms HTML for comment

Random stuff about serendipity. Discussion, Questions, Paraphernalia.
Post Reply
jerrygarciuh
Posts: 4
Joined: Sat Dec 01, 2007 5:22 am

Problems with Event Plugin "Transforms HTML for comment

Post by jerrygarciuh »

Hello,

First post here. We have the "Transforms HTML for comments" as the first plugin in the "Active" column under "Event Plugins". It has "All Authors" selected.

However the warning "HTML-Tags will be converted to Entities" still appears on the comment form and they are converted. We cannot post images or links in out comments.

Can anyone tell me what I need to do to activate or configure this plugin?

Thanks!

JG
garvinhicking
Core Developer
Posts: 30022
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Re: Problems with Event Plugin "Transforms HTML for com

Post by garvinhicking »

Hi!

That plugin is only there to NOT strip HTML code like <b>Bold</b> from postings. It does NOT render this as HTML code, but is displayed in raw text.

There is no s9y plugin that supports HTML code in comments. This is thought to be a major security risk, thus we don't support it and don't encourage it. Instead, you should use metamarkup like bbcode or textile.

REgards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
jerrygarciuh
Posts: 4
Joined: Sat Dec 01, 2007 5:22 am

Re: Problems with Event Plugin "Transforms HTML for com

Post by jerrygarciuh »

garvinhicking wrote:Hi!

That plugin is only there to NOT strip HTML code like <b>Bold</b> from postings. It does NOT render this as HTML code, but is displayed in raw text.

There is no s9y plugin that supports HTML code in comments. This is thought to be a major security risk, thus we don't support it and don't encourage it. Instead, you should use metamarkup like bbcode or textile.

REgards,
Garvin
Hi Garvin,

Thank you very much for taking the time to respond to my question!

As you may know the LiveJournal Perl code has managed to allow for HTML in comments while managing to keep out JavaScript and CSS hacks. I know many people consider PHP to be an inherently less secure way of delivering multi-author documents. Is that your opinion also?

JG
garvinhicking
Core Developer
Posts: 30022
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Re: Problems with Event Plugin "Transforms HTML for com

Post by garvinhicking »

Hi!

I simply have not yet seen a PHP method/function to strip out dangerous HTML. Hacks are always evolving, so I don't really believe in a secure way of allowing HTML.

IMHO it's not a matter of Perl vs. PHP. What can be done in Perl can also be done in PHP.

Are you sure the LJ Perl lib is completely secure? Even against UTF-7 CSS-Injections or <embed>-Tag abuse?

Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
jerrygarciuh
Posts: 4
Joined: Sat Dec 01, 2007 5:22 am

Re: Problems with Event Plugin "Transforms HTML for com

Post by jerrygarciuh »

garvinhicking wrote:Hi!

That plugin is only there to NOT strip HTML code like <b>Bold</b> from postings. It does NOT render this as HTML code, but is displayed in raw text.

There is no s9y plugin that supports HTML code in comments. This is thought to be a major security risk, thus we don't support it and don't encourage it. Instead, you should use metamarkup like bbcode or textile.

REgards,
Garvin
Hi Garvin,

I see mention in various places of the bbcode plugin but a search of http://spartacus.s9y.org/index.php?mode ... s_event_en and http://spartacus.s9y.org/index.php?mode ... sidebar_en
does not show me the plugin.

I have gone over the admin looking for a non-plugin control for this but it does not seem to be present.

Can you advise?

JG
garvinhicking
Core Developer
Posts: 30022
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Re: Problems with Event Plugin "Transforms HTML for com

Post by garvinhicking »

Hi Jerry!

The BBCode plugin comes with Serendipity by default, no need to download it anywhere. You can install it straight ahead.

HTH,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
jerrygarciuh
Posts: 4
Joined: Sat Dec 01, 2007 5:22 am

Re: Problems with Event Plugin "Transforms HTML for com

Post by jerrygarciuh »

garvinhicking wrote:Hi Jerry!

The BBCode plugin comes with Serendipity by default, no need to download it anywhere. You can install it straight ahead.

HTH,
Garvin
Hi Garvin,

Thanks for all the help! When I had't seen it in my admin I had done a search for Event plugins and not seen it but now I searched for Markup and foound it.

Really appreciate you having taken time with me!!

Peace

JG
judebert
Regular
Posts: 2478
Joined: Sat Oct 15, 2005 6:57 am
Location: Orlando, FL
Contact:

Post by judebert »

Hey, Garvin. I'm back for a few hours, and I figured I'd make your life miserable. Sorry.

I've always had problems with the "insecure HTML" premise. After all, the real reason BBCode is "secure" is because it does only a subset of what HTML can do. Slashdot allows HTML in its comments; I think we could, too. As long as we restrict it to a subset of HTML.

For instance, I'd allow only a few formatting tags: P, BR, I, B, U, QUOTE, CODE, IMG, UL, OL, and LI. I'd refuse all parameters: no style=, size=, or anything else. I'd make a single special exception to include the A tag, which must have an href.

If anything fails the very simple formatting rules, it gets HTML-escaped, just like the rest of the comment does. No OBJECT, EMBED, or SCRIPT tags allowed. Not to mention DIV and SPAN, which are pretty useless without their class attributes.

Isn't this what BBCode does, but using [] instead of <>? What's so special about the HTML, other than being more pointy?
Judebert
---
Website | Wishlist | PayPal
garvinhicking
Core Developer
Posts: 30022
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Post by garvinhicking »

Hi!

They easier allow to make invalid HTML. Imagine if someone enter's "<br>", this must be converted to "<br />". And then, it must also allow "<br />" as an input. Same with "<p>" - it might have a closing "</p>", but people might forget this.

Allowing HTML, even a subset, is like opening Pandora's Box. $0.02.

Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Post Reply