The MU forums have moved to WordPress.org

[closed] MU removes code automatically from posts, pages & sidebar widget (37 posts)

  1. blog247coza
    Member
    Posted 17 years ago #

    Hi guys

    From what I understand activating and running the sidebar widget one is supposed to be able to past any kind of code (i.e. Javascript, Map fields, etc) into the text widget but for some reason MU removes any code that isn't <img> or <a href></a>.

    Is there anyway to expand what MU allows as acceptable code in posts and the sidebar widgets?

    Thanks in advance

  2. drmike
    Member
    Posted 17 years ago #

    Is there anyway to expand what MU allows as acceptable code in posts and the sidebar widgets?

    You do realize that you're just opening your site to attacks, kiddie scripters and the like if you do that, right?

  3. blog247coza
    Member
    Posted 17 years ago #

    drmike it depends on what you allow. For example MU removes the tag <smp3> from post thereby not allowing users to use the flash mp3 player. There is no harm (as I see it) in allowing this tag as it's not real code you're allowing people to use.

    Besides which why do most blogging sites (blogger.com etc.) allow users to add any kind of JS or HTML code in their site? Why must MU be different and special?

  4. blog247coza
    Member
    Posted 17 years ago #

    OK I figured out how to do this. In kses.php I added the following after $string = wp_kses_stripslashes($string);

    if (preg_match('%^<smp3(.*?)(>)?$%', $string, $matches)) {
    $string = str_replace(array('<smp3', '>'), '', $matches[1]);
    while ( $string != $newstring = wp_kses($string, $allowed_html, $allowed_protocols) )
    $string = $newstring;
    if ( $string == '' )
    return '';
    return "<smp3{$string}>";
    }

    This now allows users to add <smp3 plus variables > in their post. Should be pretty harmless - correct?

  5. andrea_r
    Moderator
    Posted 17 years ago #

    My users have been running some code (blogrolling etc.) in sidebar widgets... I didn't make any code changes.

  6. blog247coza
    Member
    Posted 17 years ago #

    andrea_r - sidebar widgets does solve a lot of the problems with adding custom code but I have found that it doesn't solve everything. There are a few blog resources which require users to insert <map> code but if you try and add this via widgets MU removes the code automatically.

  7. kobak
    Member
    Posted 17 years ago #

    How can I allow to include swf in posts?

  8. drmike
    Member
    Posted 17 years ago #

    Most of use just use a plugin like wp-extremevideo, hacking the code if needbe. Allowing the embed tags that *.swf files would need is a security risk would be a security risk if the end user was able to do it directly.

  9. kobak
    Member
    Posted 16 years ago #

    thanks drmike, the extremevideo plugin works like a charm! :-)

  10. L2Lulu
    Member
    Posted 16 years ago #

    My problem is not exactly the same, but since using WPMU I noticed certain things being stripped from the code I'd add to display graphics within a post. For example, my most desired theme includes a few built-in classes to allow proper image alignment in a post. By simply adding a tag such as class="right" I can very easily right justify my embedded image, frame it and wrap the text around it.

  11. L2Lulu
    Member
    Posted 16 years ago #

    Cont'd...
    WPMU strips out the code which is really frustrating. I've been going into the database and actually editing the values in the post field which is obviously not ideal. I only use WPMU for my own personal blogs on my own website so I can maintain code and settings, etc. in one central place. I wish there'd be an option for less security when so much is unnecessary in many situations. Still, I heart WPMU.

  12. L2Lulu
    Member
    Posted 16 years ago #

    Thank you so much, blog247coza. With your hint I was able to easily modify kses.php and allow for my theme's class which I really really want to use. Very easy, even for a non-php gal like me. I wouldn't have known whereto look to make this change without your help. Thanx.

  13. Frequent
    Member
    Posted 16 years ago #

    I have a couple of older blogs on my MU site that were created back in 05. These older blogs don't seem to strip code. They can run javascript in the sidebar widget.

    I don't recall doing any special modifications to those blogs, so would it just be due to the fact that they were created while I was running an older MU version?

    Is there an easy way I could allow select trusted blogs to run a script when they wanted? I have a user that would like to use the sidebar text widgets to run Adsense code.

    Thanks,

    Freq

  14. GregM
    Member
    Posted 16 years ago #

    Hi L2Lulu and others,

    There was a thread a few days ago which discussed this very problem, of code being stripped out by kses.php. Beware of discussing this too much without an asbestos suit -- I was flamed because some members felt such issues shouldn't be discussed here. Apparently 1) it's too technical, and 2) some folks don't like discussions that might run contrary to decisions made by the developers (i.e., it was the developers who specifically changed kses.php in 1.2.2 to remove code from posts, etc.). Go figure.

    Anyway, the workaround is fairly straightforward. Here's a discussion of the risks, and of the 'fix':

    http://whereelsetoputit.com/blog/restoring-lost-wordpress-functionality/

    All the best,
    Greg

  15. drmiketemp
    Member
    Posted 16 years ago #

    For reference, here's the thread.

    Actually you were pointed to the correct place to discuss this as it is something that needs to be discussed with the developers. You'll note that there isn't any developers here in the forums. That's why you were directed there. (You do see that there are no developers here, right? Link #1 Link #2 Please check the dates)

    Not trying to be rude or arguementive but do you understand the term "yelling into the wind"? if you want to have a discussion on this topic, then that's the correct place for it. Right now you're pretching to the choir.

    I do hope that you do see that I'm trying to point you to the right place to be on this topic.

    edit: or heck, open up a trac ticket and explain there. That may even be better than the mail lists.

  16. GregM
    Member
    Posted 16 years ago #

    So let's see if I understand correctly, drmike...

    Three or 4 people asked a question. You didn't answer that question, except to say "you're just opening your site to attacks, kiddie scripters and the like".

    I stopped by and answered the question.

    Now, you're telling me off -- yet again -- for "yelling into the wind"?

    Here's a thought, drmike: if you don't have anything to contribute to the thread (except for telling people off), maybe you could just not post?

    Or, alternatively, rather than telling off other people who are trying to help (you may have noticed there are others on the forum besides yourself), maybe just tell off the people who ask the questions. That way, they'll learn that people should not come here and ask any question that you don't want to answer yourself.

    All the best,
    Greg

    EDIT: p.s. Since you chose to make such a big deal out of "there are no developers here", it's interesting to note that actually, I see Donncha's last replies here in this forum were 1 hour ago, 12 hours ago, 10 hours ago, 13 hours ago, 1 day ago, etc. Wow, there really is someone else here besides you. And gosh, do you think anyone ever stops by without posting something just for the sake of posting? Well, yes, maybe some people do actually do that.

  17. drmiketemp
    Member
    Posted 16 years ago #

    So let's see if I understand correctly, drmike...

    No, you didn't understand what I said.

  18. lunabyte
    Member
    Posted 16 years ago #

    Actually there, Gregory, When Doc posted the information about there not being a developer active in discussions here, the statement was true at the time.

    Donncha does have other responsibilities to attend to, and "usually" only post in the forums if it's needed/warranted.

    Unfortunately, Dr Mike pointed you in a logical direction. Whether you like that or not is not his problem. So no, you weren't told off, but I'm sure you could be if you really thought it was necessary.

    So no, you didn't understand a lick of what the Doc said to you at all.

  19. GregM
    Member
    Posted 16 years ago #

    Hey there lunabyte and drmike tag-team duo,

    Do you have anything constructive to add to the conversation that addresses the actual subject of the thread (you know, the one the questioner helpfully put in the subject line)?

    In the linked article, I've offered some detailed information about the actual underlying cause of the what the questioner was asking about -- namely, the kses.php filter -- and an opinion on the security risks of enabling certain code to pass through the kses.php filter.

    Now apart from reiterating your opinions already expressed in the previous thread -- which, I note, are primarily meta-observations about why we shouldn't discuss such things, rather than any actual contribution to the actual question -- do you have anything constructive to add to the discussion? If not, perhaps you could extend other people the courtesy of allowing them to discuss a topic without your oversight?

    All the best,
    Greg

  20. donncha
    Key Master
    Posted 16 years ago #

  21. drmiketemp
    Member
    Posted 16 years ago #

    Do you have anything constructive to add to the conversation that addresses the actual subject of the thread (you know, the one the questioner helpfully put in the subject line)?

    Already did. You missed it. Three times now.

    edit: Think maybe you can stop insulting folks around here now and maybe read what folks are telling you in an attempt to help you?

  22. lunabyte
    Member
    Posted 16 years ago #

    I don't think he gets it Doc. Actually, I'm pretty sure he doesn't. No need wasting your keystrokes.

  23. demonicume
    Member
    Posted 16 years ago #

    with the heavy level of counterproductive smarm that flies around here, i hardly blinked a his insults. it seems to be the thing to do in this forum.

  24. lunabyte
    Member
    Posted 16 years ago #

    I know, it's sad. New folks show up and just start spewing. :(

    [ insert Kyle's "catch phrase" here ]

  25. Frequent
    Member
    Posted 16 years ago #

    First let me say I understand the risks and why the system is set to strip code by default.

    But, on a case by case basis (i.e. if I trust the blogger) I would like to be able to allow the running of scripts. It would be nice if this was a function of the admin page, but if I had to go in and change some flag in the database that would be fine too.

    Since these older blogs obviously aren't "flagged" can I assume that I should be able to go in and give a newer blog the same capability?

    What do I need to look for in the database and how do I need to change it.

    Thanks,

    Freq---

  26. drmiketemp
    Member
    Posted 16 years ago #

    We used to have the ability to add in a 'unfiltered_html' flag or option on a users accounts. That ability got removed though. (Original code here) You may want to try working out a method where the kses function isn't called if the user has this flag set.

    Good luck,
    -drmike

  27. GregM
    Member
    Posted 16 years ago #

    Hi folks,

    In case you're only following this thread via RSS, rather than devoting your time to monitoring the whole forum each day, you may have missed Donncha's post on the topic a couple of days ago:

    http://mu.wordpress.org/forums/topic.php?id=5931

    The relevant core file now supports easy modification via plugin (not that it was hard before, but still); separately, other recent changes have been rolled back, but the main thing is the easy plugability.

    By golly, constructive discussion does sometimes help, developers do sometimes stop by, and solutions are sometimes forthcoming, despite all the ad hominem attacks and rhetorical bull****.

    All the best,
    Greg

  28. drmiketemp
    Member
    Posted 16 years ago #

    By golly, think maybe you can stop your attacks? I'd respond to your attacks yet again but considering you ignored what folks told you was the best course of action previously and insulted those trying to help you, I doubt it would do any good.

    Donncha, this needs to end. All this does is continue to show the extreme lack of respect the developers have to the volunteers here trying to help folks. ITDanger rarely answers questions anymore. Andrea doesn't. Andrew doesn't. I won't either. This is why and you're the one allowing it to continue. Please remember the last moderator resigned in disgust with the way you folks treated him.

    Maybe you Donncha need to step up and stop ignoring the issue.

  29. andrewbillits
    Member
    Posted 16 years ago #

    I'm not trying to be a pain or act childish but the doc is right. This has gone on long enough. Either you can start providing your own volunteers or you can hand out some moderator privileges.

    I honestly don't care who you make a moderator but we need at least two.

    Thanks,
    Andrew

  30. lunabyte
    Member
    Posted 16 years ago #

    I'll applaud you both for that, and note I've been on board as well.

    I will note though, that I'm not sure how much pull/say Donncha has with the issue.

About this Topic

  • Started 17 years ago by blog247coza
  • Latest reply from donncha