The MU forums have moved to WordPress.org

iframe and javascript (10 posts)

  1. WWDay3
    Member
    Posted 16 years ago #

    Before I get ripped a new one, let me point out that I've searched for this in the archives for the last couple days, and all I've succeeded at is getting more confused. Here's the question:

    Has anyone succesfully hacked the KSES file to allow iframe and/or javascript based on some kind of permission logic (blog user or some such)?

    I need to be able to circumvent the filters for a few specific "power" users - specifically when it comes to iframe and JS. I've looked over the KSES file multiple times, and I'm not savvy enough with PHP (yet!) to fully understand some of the logic (I apologize profusely).

    The first thing I tried was to allow iframe (I guess permission logic will have to be added later??). I added iframe to the $allowedposttags array as well as the $allowedtags array. Result after attempting to add iframe to a page - the iframe tags remained, but everything between them was stripped? So, obviously I've only covered the the first step.

    Am I going in the wrong direction for this to work?

    Thanks,
    Wally

  2. demonicume
    Member
    Posted 16 years ago #

    heres what i did since i was the cat begging for help with this.

    use 'userthemes', this will allow your users to put whatever they want in the sidebar as long as its hardcoded. widgets are still stripped... that is unless you go here and use this hack. this hack works great. i use it right now. you can decided who gets access to the theme editor which ultimately determines who has access to the java-enabled widgets.

    if you want a real plugin to do this for you check here. i havent tried it yet, but it does the same thing as the previous hack.

    someone PHP god step in and correct me if i'm wrong. but this is my solution. i only allow proven bloggers who identities i have confirmed to have access to the theme editor. hope this helps.

    DemonC

  3. drmiketemp
    Member
    Posted 16 years ago #

    Thank you for searching first. We don't mind helping people but when it gets to handholding on basic stuff that folks at this level should already know....

    Actually we covered this a few days ago but is was for a different set of tags. We used to have the ability to set a "unfiltered_html" fald for certain end users. Since you mention that it would only be for a few users, that's the route I would take. Link on my previous post. It would have to be something you would have to code though, probably as a plugin. If the user in question had that flag set, then remove the kses filter. I've not searched through the code on how to do it so I couldn't tell you how.

    That's the way I would do it but looking at wp-includes/default-filters.php, I'm not sure what filter I would remove. Looks like all the kses calls are for commentors.

  4. WWDay3
    Member
    Posted 16 years ago #

    You know, this is actually kind of funny. I was reminded of this when I read this quote "Sorry, it's not going to come back but you could add it back using a plugin if you really miss it."

    I've worked as an application programmer on IBM mid-range machines for years. Call me an "end-developer" (not really a machine-head or bit-twiddler).

    At one point in time we used a particular CASE tool to develop applications for end-users. The tool had basic program templates that I had to "inherit" and then do quite a bit of modifying to mesh with our company's standards. If the tool had the capability for me to re-define the base templates or perhaps define new templates, it would have saved me countless hours while "enforcing" consistency (yes, sometimes something would get missed).

    I attended a conference with the developers and brought this issue up. They looked at me like I was from a different planet. With a glazed look in their eyes, they wondered why I would want to change their perfectly designed program templates. I must be crazy, you know?

  5. demonicume
    Member
    Posted 16 years ago #

    now youre beginning to understand. now we can begin appropriately. :P

  6. drmiketemp
    Member
    Posted 16 years ago #

    We went through it with the Cerberus help desk when they moved up to v3. They added in a taging system (which in my opinion didn't work and still doesn't) and gutted a lot of the features that we liked out of v2. I mean one would think that listing FAQ questions would be a good thing but they didn't see it that way.

    Luckily we had a backup of the older version.

    It also happened here with the invites.

  7. WWDay3
    Member
    Posted 16 years ago #

    Well, back to my question. DrMike, in the thread you referenced, there was some code listed in the that looked interesting (I pretty much ignored the bickering :).

    Anyhoo, the snippet listed apparently (I'm still learning this) returns a match using preg_match (what does that mean anyway - preg?). If the match is determined to be "ok", the string is returned (and apparently "allowed").

    Now, as I am still a bit un-PHP-hip: couldn't you basically just accomplish the same thing by somehow querying the user "name" or user "suthority" at this point, and exiting the function? In other words: if user authority = "superuser-status", return $string?

    BTW, if these are technical questions that I should asking elsewhere, please let me know.

    1) Is there a way to put a function like KSES in debug mode and "step" through the function? Or,
    2) Is the preferred way to just put "echos" inside the code at whatever point you want to see a value?

    Thanks,
    Wally

  8. schuerstedt
    Member
    Posted 16 years ago #

    I had the same problem - inserting a iframe - and found the following plugin:

    http://www.coffee2code.com/archives/2005/03/29/plugin-dynamic-text-replace/

    It's a text replace plugin.

    Now I can define replacements for iframe settings etc.

    iframe => <iframe src='%text%' %display% frameborder=0></iframe>

    and use it in the text like:

    ::iframe("URL", "parameters")::

    Workes great for me - because the plugin supports custom text replacement functions in the plugin code, one can integrate security enhancements if necessary (like restrictions on the URL).

    Or predefined iframe calls, e.g. to a google map iframe etc. (that what I am using it for :-)

    Scripting does not work out of the box, because the replacement text cannot have brackets as far as I could see. But one can change the replacement function in the code if neccessary. I might do this, but for now I do not have the need...

  9. uscommonsense
    Member
    Posted 16 years ago #

    Using the plug-in to create the ::iframe:: replacement as shown above, how do you fix the dimentions of the field that is created? For example, I was using iframes to embed a SMF on my politics site in regular WordPress.org software. On my WPMU site, the iframe code I used for the other site won't work. So, going with ::iframe::, I can display the forum, but it is being compressed into a tiny field, making the forum next to useless. I have tried to plug in the height/width dimentions into the parameters section in the post with no success. So, I tried plugging it into the plug-in list, and still no luck.

    Any recommendations?

  10. uscommonsense
    Member
    Posted 16 years ago #

    Sorry. Duplicate post. (deleted)

About this Topic

  • Started 16 years ago by WWDay3
  • Latest reply from uscommonsense