A quick heads up - I just discovered that I could embed anything and add javascript to all my text widgets working with widgets Version: 1.0.20060711 on wpmu1.1
Am not entirely sure if this is my fault or that of the code - but I'd encourage anyone who has this type of set-up to check it as I guess it's a possibly dangerous issue.
To fix edit widgets.php in mu-plugins and delete lines 825 - 946 together with teh call
widget_text_register();
- no more text widgets but you still have widgets (and ones that are a darn sight safer too.
lunabyte
Member
Posted 17 years ago #
Does it happen with the latest code version as well?
1.2.1.20070210b is the last version I have locally on file.
lol how is it passing through kses?
I would have though it should be going through kses automattically sine its added in as a filter.
I'm showing 1.2.1.20070210b as the latest version as well.
http://svn.wp-plugins.org/widgets/trunk
edit: A few months back Andrea and I had this discussion as her system allowed them but mine did not.
Latest version is still allowing javascript and embedding :(
But not php... which is good I guess!
But does this mean it's partially passing kses.php???
mysorehead
Member
Posted 17 years ago #
What exactly is it letting through? I tried onclick="alert('hi');" which it blocked
Richard
lunabyte
Member
Posted 17 years ago #
My guess would be script and embed tags, but can't say for sure.
This'll work:
<div class="js-kit-rating"></div>
<script src="http://js-kit.com/ratings.js"></script>
As will this:
[Code deleted so we can see the forums - drmike]
To be honest I'd *really* like to let it work with them - but am feeling kinda concerned re: security.
On mine, it stripped out that entire second line. Didn't try the embed though.
mysorehead
Member
Posted 17 years ago #
I tried both of Farms' examples.
The first one the second line was stripped and on the second one it all went.
Richard
Are you on wpmu1.1?
Am trying to think what I might have running that could get round this - why would it block php but allow javascript, is this kses.php or another rule?
mysorehead
Member
Posted 17 years ago #
I'm on wordpress-mu-1.2.1 — at home on MAMP - I haven't checked in at school on the production server.
I guess I'll have to try on a 1.2.1 install - still, I kinda want to be able to allow certain scripts without having to code widgets for each of them - any ideas?
I think the issue is *NOT* to allow such code.
Thanks for the response though.
wow, good save there bro. thanks. every other system has a way for users to utilize the billions of cool scripts out there. standard widgets are a close imitation, but no substitute. my users wanna use things like mybloglog widgets, technorati widgets, etc - and its just easier if i let them do this stuff themselves. for the years i logged on blogger, i never had to beg some administrator for functionality. having to deal with a middle man is a deterrent to some people.
I would find some of the artciles on how to hack into blogger or how it has been hacked and tell your users that's why you don't allow javascripts.
the mybloglog is doable as a text widget just for reference. search the wp.com forums for a howto by engtech.
good points. i'll find that info take it into consideration.
my bloglog has a plugin now that adds a widget. i've also got the springwidget plugin/widget. i'm looking at those right now.
blogger is a good example since it got hacked.
If you allow javascript input by users, a not-too-talented script kiddie driving an administrator (or any user as a matter of fact) to visit his ill-built page can hack his account, then do whatever.
If you allow this, you have some competition and you become popular, you'll get hacked. Just a matter of time. A solution could be to allow javascript only for subscriber/paying users. Having a way to trace them through their payment is a good incentive not to mess around too much.
that level of control is currently beyond my skill. looking into it though.
Hey folks. This is an interesting discussion as I am having a similar issue with a new 1.3 installation.
I am kind of a newbie/non programmer so please be gentle with me.
Is this why I can no longer embed youtube videos natively? Is the only work around to have a plug-in to do it for me?
thanks in advance
paul
thanks paul
That's right Paul. WPMU will strip it all out.
I've been using smart youtube 2.0 to embed youtube videos and it seems to be fine with MU.
http://www.prelovac.com/vladimir/wordpress-plugins/smart-youtube
lunabyte
Member
Posted 16 years ago #
8 months later, I'd bet they figured it out.
I guess so, but people searching through the forums for the solution to the same problem may not have. Or is bumping old posts with useful info bad etiquette here?