The MU forums have moved to WordPress.org

Big Issue? Text widgets allow embeds and javascript. (26 posts)

  1. Farms2
    Member
    Posted 15 years ago #

    A quick heads up - I just discovered that I could embed anything and add javascript to all my text widgets working with widgets Version: 1.0.20060711 on wpmu1.1

    Am not entirely sure if this is my fault or that of the code - but I'd encourage anyone who has this type of set-up to check it as I guess it's a possibly dangerous issue.

    To fix edit widgets.php in mu-plugins and delete lines 825 - 946 together with teh call

    widget_text_register();
    - no more text widgets but you still have widgets (and ones that are a darn sight safer too.

  2. mypatricks
    Member
    Posted 15 years ago #

    Why not update latest version?
    http://dev.wp-plugins.org/browser/widgets

  3. lunabyte
    Member
    Posted 15 years ago #

    Does it happen with the latest code version as well?

    1.2.1.20070210b is the last version I have locally on file.

  4. suleiman
    Member
    Posted 15 years ago #

    lol how is it passing through kses?

  5. drmike
    Member
    Posted 15 years ago #

    I would have though it should be going through kses automattically sine its added in as a filter.

    I'm showing 1.2.1.20070210b as the latest version as well.

    http://svn.wp-plugins.org/widgets/trunk

    edit: A few months back Andrea and I had this discussion as her system allowed them but mine did not.

  6. Farms2
    Member
    Posted 15 years ago #

    Latest version is still allowing javascript and embedding :(

    But not php... which is good I guess!

    But does this mean it's partially passing kses.php???

  7. mysorehead
    Member
    Posted 15 years ago #

    What exactly is it letting through? I tried onclick="alert('hi');" which it blocked

    Richard

  8. lunabyte
    Member
    Posted 15 years ago #

    My guess would be script and embed tags, but can't say for sure.

  9. Farms2
    Member
    Posted 15 years ago #

    This'll work:

    <div class="js-kit-rating"></div>
    <script src="http://js-kit.com/ratings.js"></script>

    As will this:

    [Code deleted so we can see the forums - drmike]

  10. Farms2
    Member
    Posted 15 years ago #

    To be honest I'd *really* like to let it work with them - but am feeling kinda concerned re: security.

  11. drmike
    Member
    Posted 15 years ago #

    On mine, it stripped out that entire second line. Didn't try the embed though.

  12. mysorehead
    Member
    Posted 15 years ago #

    I tried both of Farms' examples.

    The first one the second line was stripped and on the second one it all went.

    Richard

  13. Farms2
    Member
    Posted 15 years ago #

    Are you on wpmu1.1?

    Am trying to think what I might have running that could get round this - why would it block php but allow javascript, is this kses.php or another rule?

  14. mysorehead
    Member
    Posted 15 years ago #

    I'm on wordpress-mu-1.2.1 — at home on MAMP - I haven't checked in at school on the production server.

  15. Farms2
    Member
    Posted 15 years ago #

    I guess I'll have to try on a 1.2.1 install - still, I kinda want to be able to allow certain scripts without having to code widgets for each of them - any ideas?

  16. somsit
    Member
    Posted 15 years ago #

    You need to mod some code so text widget can put Html/Javascript. Just check here

    http://thainy.com/blog/2007/05/25/how-to-use-html-tag-and-script-in-wpmu-text-widget/

  17. drmike
    Member
    Posted 15 years ago #

    I think the issue is *NOT* to allow such code.

    Thanks for the response though.

  18. demonicume
    Member
    Posted 15 years ago #

    wow, good save there bro. thanks. every other system has a way for users to utilize the billions of cool scripts out there. standard widgets are a close imitation, but no substitute. my users wanna use things like mybloglog widgets, technorati widgets, etc - and its just easier if i let them do this stuff themselves. for the years i logged on blogger, i never had to beg some administrator for functionality. having to deal with a middle man is a deterrent to some people.

  19. drmike
    Member
    Posted 15 years ago #

    I would find some of the artciles on how to hack into blogger or how it has been hacked and tell your users that's why you don't allow javascripts.

    the mybloglog is doable as a text widget just for reference. search the wp.com forums for a howto by engtech.

  20. demonicume
    Member
    Posted 15 years ago #

    good points. i'll find that info take it into consideration.

    my bloglog has a plugin now that adds a widget. i've also got the springwidget plugin/widget. i'm looking at those right now.

  21. quenting
    Member
    Posted 15 years ago #

    blogger is a good example since it got hacked.
    If you allow javascript input by users, a not-too-talented script kiddie driving an administrator (or any user as a matter of fact) to visit his ill-built page can hack his account, then do whatever.
    If you allow this, you have some competition and you become popular, you'll get hacked. Just a matter of time. A solution could be to allow javascript only for subscriber/paying users. Having a way to trace them through their payment is a good incentive not to mess around too much.

  22. demonicume
    Member
    Posted 15 years ago #

    that level of control is currently beyond my skill. looking into it though.

  23. paulcstephensen
    Member
    Posted 14 years ago #

    Hey folks. This is an interesting discussion as I am having a similar issue with a new 1.3 installation.

    I am kind of a newbie/non programmer so please be gentle with me.

    Is this why I can no longer embed youtube videos natively? Is the only work around to have a plug-in to do it for me?

    thanks in advance
    paul

    thanks paul

  24. mars-hill
    Member
    Posted 14 years ago #

    That's right Paul. WPMU will strip it all out.

    I've been using smart youtube 2.0 to embed youtube videos and it seems to be fine with MU.

    http://www.prelovac.com/vladimir/wordpress-plugins/smart-youtube

  25. lunabyte
    Member
    Posted 14 years ago #

    8 months later, I'd bet they figured it out.

  26. mars-hill
    Member
    Posted 14 years ago #

    I guess so, but people searching through the forums for the solution to the same problem may not have. Or is bumping old posts with useful info bad etiquette here?

About this Topic

  • Started 15 years ago by Farms2
  • Latest reply from mars-hill