The MU forums have moved to WordPress.org

Template Customizer by Jason Ling (32 posts)

  1. dizzy99
    Member
    Posted 17 years ago #

    Well i've got my hands on V0.88d of this fantastic CSS editing plugin and it works wonderfully with MU.

    http://jason.lah.cc/

    I know there are some concerns about possible security, arn't there always with these things, but i think these risks are as likely as posting links using the Blogroll section of Wordpress so, unless told otherwise, i'll probably offer this to my members in our production site (when we launch). Its a fantastic way for them to add their own style onto our stock themes.

    One modification i would truly love would be to have a CSS color box popup when a user clicks the present color box it shows in the Colours section. It would then pop up a javascript color choice box, the member clicks the color of his choice and it inserts into the css class box on the left.

    Anyone achieved this yet ?

  2. corourke
    Member
    Posted 17 years ago #

    Isn't that exactly what the kubrick theme does? I'm pretty sure that's how their color box works.

  3. andrea_r
    Moderator
    Posted 17 years ago #

    Also in the Striped Plus theme it has that color picker too. I be tyou coudl snag code form that.

    While we're on the topic, has anyone looked into using this plugin to just show custom options for particular themes? Not all?

  4. dizzy99
    Member
    Posted 17 years ago #

    i know you have to edit your theme to get the best out of it. Putting in default colors so it picks up the divs. But it works very well indeed and gives a lot of flexibility to stock themes.

  5. quenting
    Member
    Posted 17 years ago #

    I don't see how you can compare security for this and for blogroll... I don't know how secure this plugin is, but if it doesn't parse javascript out, it's really not difficult to take control of your site by just having you visit a hacked page (for instance run a change password http request via javascript, just an example among thousands of other possibilities). If you're at least a little bit serious about your blogging platform and if you expect any competition, I really suggest you be careful, even more after posting here that you plan to expose your site to hacking.

  6. dizzy99
    Member
    Posted 17 years ago #

    is it really that insecure then quenting ? If so i'd certainly consider not using it but its certainly a handy addon, and seems a shame if i am forced to not allow it :(

    Does anyone know if this plugin is that insecure ?

    Is there any secure checks we can perform on it to see how it holds up ?

  7. lunabyte
    Member
    Posted 17 years ago #

    If it doesn't parse java, or php for that matter, yes.

    Because someone could easily grab a copy of MU, look through the source, and then execute whatever they would care to in order to either destroy, or infiltrate the entire install. Think about it. If I can stick php in a template, and read through the source of MU, how difficult is it for me to put together a simple update query to either update myself as a site admin, or change the site admin's password?

    Or, run a query and drop the entire db.

    IMHO, whether it's css or templates, letting users touch the actual source is just a plain dumb idea. If there's even only a 10% chance someone could pull off something malicious with it, or less than 1% chance even, it just isn't worth it to make the feature available.

    Now if it were a drag and drop type deal, where someone isn't actually typing code but simply grabbing and placing existing snippets, that "may" be different. Like grab a div, grab a template tag, etc. Then letting them set a specific class or id name (while parsing out brackets and other kinds of stuff) for the tag might be a better compromise.

    However when it comes to hundreds, thousands, or more people trusting you, as the overall host of the service to keep their blog as safe as possible, opening up source code editing is a risk that should be avoided at all costs.

    All I'd have to do is insert an iframe with something like a login box that says "verify login to read my blog", and it's all downhill from there.

    As for security checks, what are you going to do? You could turn all < and > around a javascript tag into their html counterparts, but then you have to worry about php. You can't do that, as template tags are php, so the templates wouldn't work. If you did that, then you still have iframes and 100 other things to try and avoid. In the end, the template isn't going to work because you've parsed out all the legitimate stuff along with the bad.

    Of course, it's just my opinion.

    For someone that is simply managing their own sites with MU, and not open up to public registration, it's different. You're the site admin, and the end user.

    But if you're open up to public registration, my personal philosophy is trust no one.

  8. andrea_r
    Moderator
    Posted 17 years ago #

    but this plugin just parses exisiting css in a theme and only allows very minor editing, much like a theme options menu. Wouldn't that be far more secure than the other plugin that allwos access to a copy of style.css?

  9. lunabyte
    Member
    Posted 17 years ago #

    It depends. If it's only access to certain parts of a css file, then that's a step better.

    If it's only css editing, and not full template access, that's even better.

    But, it's still possible to execute remote javascript. The only real tweak to this would be if it was only allowing changing of colors, and parsed out any character that wasn't 0-9 or A-F, and cut everything off after 6 characters.

  10. dizzy99
    Member
    Posted 17 years ago #

    Ok i've been looking at some ways to embed javascript into input boxes.

    poasting something like 'http://www.vulnerablesite.com/cgi-bin/search.php?keywords=<script>alert("OK")<script>'

    Is a good test so that was my first try in the image boxes.

    The code then got output as 'background: url(http://www.vulnerablesite.com/cgi-bin/search.php?keywords=&ltscriptalertOK&ltscript) no-repeat left center;' which seems to escape it nicely.

    Tried next with '<script language=javascript>document.write("Hello World!");</script>'

    Output was 'background: url(script language=javascriptdocument.writeHello World!/script) no-repeat left center;
    }'

    Obviously neither of these got parsed.

    Any other way to test ?

  11. andrea_r
    Moderator
    Posted 17 years ago #

    Well, on a simple template the original plugin just allows a text box for any colors it can find, no idea if it parse it or turncates yet (I have to actually, you know, *read the code* :D ) and for any images, you can plunk in a URL.

    That's pretty much it.

  12. quenting
    Member
    Posted 17 years ago #

    If it extracts existing colors only, and allows only for replacement, that's probably fine. If it allows for row CSS input though, it's bad.
    But when you think about it, there must be a function in MU to filter out this type of malicious code, I mean the one that's used to treat posts. You can't include malicious css or jss inside regular WP posts, and yet you're actually submitting HTML code to the server, so this code must somehow be parsed and malicious code removed from it. Any plugin aiming at allowing CSS editing should use the same mechanism, would it only be in sake of being consistant.

    Note: Are style tag attributes allowed in posts ? Allowing them sounds like allowing CSS editing, but I don't remember if you can do it.

  13. dizzy99
    Member
    Posted 17 years ago #

    As Andrea said you have two lots of boxes on this plugin. Theres no direct CSS editing as such.

    The first handles background images. You see the defaults and can input an url to replace. This is where i performed some (very basic) javascript tests. This is similar to regular themes that allow you to change the background header using the same method.

    The second set of boxes are for CSS colors only. Again it shows the existing color in a box to the right hand side and a box for placement of color to the left (allowing you to change that) and thats all.

    I've looked at the risks here and maybe to really close the plugin to security exploits a check to make sure the plugin has valid extensions in the boxes (and only image extensions) for the background images would be best. I'm not entirely sure it doesn't already do that.

    The other thing i noticed is the color box edits are far wider for input than needed. I think its 6 characters and the # for color isn't it ? so the input boxes only really need to be able to have 7 characters input into those. So i'll adjust that to make that a little more secure.

    If a color editor picker could be incorporated within the color picture section (still to look into this) then you could do away with input boxes altogether at that part of the plugin. Just allow the member to click the already set color, up pops a javascript box, he picks his color, it drops back down and bingo, the new color is displayed in the box. This means click input only which should reduce the risks further.

    Its an amazingly valuable plugin esp for MU installations as it gives each member flexibility of the stock themes without changing the stock theme for everybody else or allowing for direct CSS edits.

    Each member can edit the theme and its parsed only for his blog so one theme can have hundreds of styles.

  14. lunabyte
    Member
    Posted 17 years ago #

    @Quenting

    Nope, no inline styles in MU from the post box. I drove myself nuts over this not too long ago in fact. I needed to make a quick edit (I think it was as simple as clear: both) so I just did what was natural in WP. And it didn't take. It left the tag, but took out the entire inline style. After a few minutes I gave up and used a class as a test, which worked fine, as did setting an id.

    With this editing css colors and links only, this plugin seems like it would probably be OK. It should be carefully looked at and tested though.

    Personally, I'd almost be scared to have themes and sites start looking like myspace. LOL

  15. quenting
    Member
    Posted 17 years ago #

    abour myspace YEAH you're right. If anyone has allowed stripedplus on his site this gives already some "good" results as per blogs looking like mysapce :-/.

    The problem I have with this plugin is the automatic parsing of the CSS... Plenty of themes have tons of classes, with sometimes unexplicit names, and many of which don't have any interest for the user, or simply shouldn't be edited for things to stay clean. This would probably result in users messing around with the wrong classes, breaking their layout and then begging for help in my support forums which are already crowded well enough thanks .
    I'd rather have something explicit like for striped plus. But of course that would mean much more work...

  16. lunabyte
    Member
    Posted 17 years ago #

    That's a good point Q.

    I "think" I'd rather make 3 or 4 separate style sheets, editing the colors myself, and then add a user option to pick the style sheet accordingly in the admin section.

    Even if it took me an hour per theme, to me that's still better than the alternative possibilities.

  17. lunabyte
    Member
    Posted 17 years ago #

    As a note on security, and how sometimes the little things that you don't even think of can kick you in the junk, check this article out.

    Following in the lines of editing files:

    Cross site scripting problem

    While this isn't exactly the topic on point here, it does follow within the spirit of the conversation.

  18. andrea_r
    Moderator
    Posted 17 years ago #

    yeah, I'm thinking of using the spirit of this plugin to add some options to exiting theme. It's an either/or with a snazzy funtions page, is all. That way, if someone picks a theme and likes it, they don't have to change anything, but for others who just want to tweak it a little bit, they can.

    Also helps avoid the myspace looks. Yowza. :O A lot of my users like the Water theme, thank God. They can just change a few colors with that.

    Just another item on my three-page to do list.

  19. quenting
    Member
    Posted 17 years ago #

    This is funny (about that XSS), my templates.php file starts with:

    <?php
    return;

    I guess no danger here, sometimes it's good to be based off an old nightly ;-).
    Anyway, I think what is more dangerous with CSS hacking is javascript forgeries (XSF).

  20. dizzy99
    Member
    Posted 17 years ago #

    Coming back to the plugin and the worry of members screwing up there theme and asking for help, this isnt a problem as there is a reset defaults option that reverts the theme back to factory settings. Remember also that this is on a per members blog basis. So each member can have the same theme with different settings, making their theme unique.

    I still feel that, with satififactory checking of vulnerbilities, this offers members who wish, with some experimentation, to change their theme colors and even images without needing direct CSS or theme editing capabilities.

    This allows one to be unique, in their own style, with the only danger of screwing up a color, not liking it and having to reset to do a "do over"

    I wish i understood more about this cross site javascript vunerabilities so i could check the plugin for such things.

  21. lunabyte
    Member
    Posted 17 years ago #

    Only 3 pages Andrea? Wanna swap lists? :D

    @Q...

    1.0 has a wp_die instead of return. Good by me.

    There isn't a danger here as far as I can tell. Mainly since theme editing isn't enabled. I didn't dig enough into it to look and see if the vulnerability was in the rest of the file though. But since the file isn't executable, due to the die, it isn't an MU issue.

  22. quenting
    Member
    Posted 17 years ago #

    > the worry of members screwing up there theme and asking for help, this isnt a problem as there is a reset defaults option that reverts the theme back to factory settings.

    Either you don't have users, or your users are techies, or you're *really* lucky.
    "Regular" users don't use the reset button, or read the help (i'm not even talking about the codex), they come to the forum and whine because they're not able to do what they want, until someone explains it, or until they leave forever.

  23. dizzy99
    Member
    Posted 17 years ago #

    Well i guess your right in that respect. I don't currently have any users at all and i'm more tech savvy than most i guess, but pressing or indeed telling a member to press a reset button that is part of the customiser plugin that messed up (it would never mess up really, just not make it as pretty as they would like) their theme isn't hard at all. Certainly nothing to stop me using the plugin anyway.

    After all, they can mess up in others ways too but giving them flexibility is key.

    My hosting service will be a kind of "closed shop" though and only open to a small demographical area so maybe my needs are different.

  24. dsader
    Member
    Posted 17 years ago #

    Dizzy99, Have you made any headway at integrating the ColourMod into the css editor? I banged my head at it a while back and got so far as having the box pop up when clicking the colour squares, but couldn't get it to send the hex value to the input field when clicking.

  25. dizzy99
    Member
    Posted 17 years ago #

    in honesty dsader i haven't yet looked totally. I've been wrapped up in other aspects of getting MU to do what i want, but its on the plans.

    I had a quick look over the plugin and its a little unstructured (i.e. confusing) but this javascript seems promising

    http://www.free-color-picker.com/color-pop-combo.php

    All you need do is an onclick event

    'onclick="showColorGrid2('input_field_id','sample_id');"'

    where Where 'input_field_id' is the ID name of the input text control that will receive the RGB Hex Color code selected and the 'sample_id' is the ID name of the element that will receive the Color sample.

    Looking at the output of the plugin it does define the ID's so its just putting it all together.

  26. dsader
    Member
    Posted 17 years ago #

    dizzy99, indeed your recommended color-pop-combo works fine. Only 216 colours, though.

    I'll have another kick at ColourMod.

  27. dizzy99
    Member
    Posted 17 years ago #

    let me know if you manage it as i would love to incorporate a color editor in there.

  28. Konstan
    Member
    Posted 17 years ago #

    Sorry to bump this thread, but I wanted to ask if anyone has had any problems with malicious users using this? As in, trying to insert java and stuff.

    Is this a safe plugin?

  29. Ovidiu
    Member
    Posted 17 years ago #

    well, they could.

    I got it working but have no clients for it so far :-)

    If yo uget it working, only customers you sleect can use it, but those will definitely be able to edit the themes they copy to theri folder, so if they insert malicious code, you're screwed. BUT if not, they can customize any copy of a theme they like and won't affect anyone elses theme...

  30. dsader
    Member
    Posted 17 years ago #

    Jason's Customizer stores options for the stylesheet in the db, not the user folder. No code of any kind can be pasted in the option fields, only colour values and urls. I have seen debate on whether a script can execute if called from the url fields. I concluded it is not possible and I use the plugin.

    Userthemes copies themes and needs the theme editor enabled and offers a tonne of risk. Use userthemes wisely, allow no one to use theme-editor unsupervised.

About this Topic