 Hey all,
I currently only have "Bold, Italics, Underline | Align left, Align Center, Justify | Font color, Background Color | Insert/Edit Link" enable on Tiny MCE for comments. So my question, could that be a security risk on a live site? |
Not really. Just make sure you remove access to the HTML box. BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
Thanks Magnussoft, I just wanted some reassurance for when I release the site to the public. So it would be alright just to increase the security threshold setting right? |
Thanks Magnussoft, I just wanted some reassurance for when I release the site to the public. So it would be alright just to increase the security threshold setting right? On the contrary, it's better to disable it altogether. It was added prematurly, and does more harm than good. I describe it as a "watch dog on cocaine." It sends allot of false positives, which has lead BoonEx to not only recommend it to be disabled, but to also have it disabled by default in the next update. BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
Tiny_MCE is not a security risk, as all code sanitisation is carried out server side. All code submitted by Tiny_MCE is processed by the PHPIDS security filter - ultimately it is this that filters the code - preventing unwanted code from being posted. Enabling / disabling selected elements in Tiny MCE is a good idea - but be mindful that changing the configuration of the "simple" theme will also effect other areas of the site. If necessary, it is easy enough to create a custom Tiny_MCE theme for the comments area - this way you can enable only the elements you need rather than having to use the advanced theme. Also realise that removing elements from displaying Tiny MCE should not be relied on a security measure (most / all client side security measures are easily defeated). /DM Dolphin - Ajax Masturbation |
On the contrary, it's better to disable it altogether. It was added prematurly, and does more harm than good. I describe it as a "watch dog on cocaine." It sends allot of false positives, which has lead BoonEx to not only recommend it to be disabled, but to also have it disabled by default in the next update. Mnnn not exactly true - Boonex have not recommended to disable it in all cases, only as a solution for those experiencing extreme difficulty with it (sorry, cannot find the thread where I read that). The problem with PHPIDS is that the level of filtering will differ greatly depending on the content of your site, so there is not really any 'out of the box' solution to suit all sites, each needs to be tweaked to suit. There's some more info about it at - http://www.boonex.com/unity/forums/topic/Troubleshooting-Possible-Security-Attacks-.htm#topic/Troubleshooting-Possible-Security-Attacks-.htm However, there are still a lot of improvements that can be made to the filtering system, for instance it cannot be selectively set for different areas of the site, or for different user levels - this can lead to a lot of false positives. /DM Dolphin - Ajax Masturbation |
PHPIDS doesn't filter. HTMLPurifier is what does the filtering. My opinions expressed on this site, in no way represent those of Boonex or Boonex employees. |
PHPIDS doesn't filter. HTMLPurifier is what does the filtering. Yes - sorry - bad choice of words. Perhaps 'detection' would have been better. Dolphin - Ajax Masturbation |
All the feedback is really appreciated and thanks. Well, is there an alternative to Tiny MCE. Perhaps support for BBCode in comments or basic HTML inputs eg. <b></b><i></i> I suppose that's an entirely new customisation for support in comment boxes. I have specifically created a theme for Tiny MCE that wraps around comment boxes only. Its working perfectly across all browsers too (after a few hours of playing around) Its seems the latest version of Opera has an issue with including the tiny_mce.js in the _header.html. So I removed including the tiny_mce.js script in the header and made it request the .js file only when there is a comment box. Once the file is called the first time it gets cached, thereafter, its just loaded from the cache straight after. I'm going to start hacking off some Kb on that tiny_mce.js file, its currently sitting at 143kb so its not necessary to have such a giant .js file being called for every new user on the site. NEXT TASK FOR ME: Start creating some fantastic emoticons. |
All the feedback is really appreciated and thanks. Well, is there an alternative to Tiny MCE. Perhaps support for BBCode in comments or basic HTML inputs eg. <b></b><i></i> I suppose that's an entirely new customisation for support in comment boxes. I have specifically created a theme for Tiny MCE that wraps around comment boxes only. Its working perfectly across all browsers too (after a few hours of playing around) Its seems the latest version of Opera has an issue with including the tiny_mce.js in the _header.html. So I removed including the tiny_mce.js script in the header and made it request the .js file only when there is a comment box. Once the file is called the first time it gets cached, thereafter, its just loaded from the cache straight after. I'm going to start hacking off some Kb on that tiny_mce.js file, its currently sitting at 143kb so its not necessary to have such a giant .js file being called for every new user on the site. NEXT TASK FOR ME: Start creating some fantastic emoticons. Funny you should mention BB Tags, I'm halfway through a mod to do this at the moment. It is possible change TinyMCE for other editors such as FCK Editor, but they are all based on the same operating principle and so all work the same way. Its a lot of work for no improvement. You can of course disable TinyMCE and use some custom javascript to add some buttons to create the BB tags - I've done this before for some other sites. It's not very hard to do - google should throw up a few solutions if you want to do this. Regarding speed, TinyMCE has the ability to use either the standard js file, or alternatively a gzipped version - the gzipped is only about 8kb !! It calls this by default, so no need to delete anything from the source file. In truth, there are much bigger resource hogs elsewhere in Dolphin - much better to spend time on these instead. If you haven't already - it's worth visiting moxiecode's site (TinyMCE's authors), they have an extensive Wiki there as well as very helpful forums - lots of info for customising and modding TinyMCE. Also might as well throw in a plug - might want to keep a lookout for another TinyMCE mod that I will be releasing soon - Imagebrowser / File Uploader - it makes the blogs and forums a lot more usable. Just packaging up the D6 version at the moment, will have the D7 version available soon. HTH /DM Dolphin - Ajax Masturbation |
RE Also might as well throw in a plug - might want to keep a lookout for another TinyMCE mod that I will be releasing soon - Imagebrowser / File Uploader - it makes the blogs and forums a lot more usable. Just packaging up the D6 version at the moment, will have the D7 version available soon. HTH /DM How is that going to work? How are you going to manage image and file uploads from multiple users? My opinions expressed on this site, in no way represent those of Boonex or Boonex employees. |
How is that going to work? How are you going to manage image and file uploads from multiple users? Easy ;)
Allowable filetypes are controlled - so if you only want users to be able to upload jpg's and png's that's fine - or you can let them upload whatever file types you wish. Each of the directory types has it's own whitelist. In addition, disallowed type files are controlled by a blacklist. Will let you know when I've posted it up and the demo is ready. /DM Dolphin - Ajax Masturbation |
OK - D6 demo up and running at - http://dolphin6.deeemm.com Works for all instances of TinyMCE advanced theme.
Also works for Admin areas too. D7 will function in exactly same way. /DM Dolphin - Ajax Masturbation |
Good luck with that. You're probably giving the average internet user way too much credit by assuming they'll be able to figure out how to use Tinybrowser. My opinions expressed on this site, in no way represent those of Boonex or Boonex employees. |
Good luck with that. You're probably giving the average internet user way too much credit by assuming they'll be able to figure out how to use Tinybrowser. LOL probably true. I am working on stripping everything out of TinyMCE and just giving a few big buttons - insert image / insert link / insert BBcode - a simplified version. But, the browser is pretty simple to use... D7 demo now up - http://dolphin7.deeemm.com Username - Demo Password - DeeEmm
/DM Dolphin - Ajax Masturbation |
Should probably add - for clarification - users don't have to create or configure anything - all they have to do is click the insert image button > upload images they want to post > and then select them from the thumbnails. Easy Peasy
Dolphin - Ajax Masturbation |
Taking a look at that right now DeeEmm. Seems really promising indeed. EDIT: Below would be an entirely different mod. Do you think this would be possible. (this is something I would definitely pay for) With every photo that is uploaded obviously that photo has an ID in the tables in the Database. Lets say I type [image:12] in a blog post. Once I submit that post, it would show the thumbnail of that specific image with the ID 12. |
Taking a look at that right now DeeEmm. Seems really promising indeed. EDIT: Below would be an entirely different mod. Do you think this would be possible. (this is something I would definitely pay for) With every photo that is uploaded obviously that photo has an ID in the tables in the Database. Lets say I type [image:12] in a blog post. Once I submit that post, it would show the thumbnail of that specific image with the ID 12. I originally started to look at doing it this way (but with a different type of image browser + on D6) - Users could browse the images that they had already uploaded to the gallery, but could not upload from within the browser itself. I might revisit this if there is enough interest. /DM Dolphin - Ajax Masturbation |
Taking a look at that right now DeeEmm. Seems really promising indeed. EDIT: Below would be an entirely different mod. Do you think this would be possible. (this is something I would definitely pay for) With every photo that is uploaded obviously that photo has an ID in the tables in the Database. Lets say I type [image:12] in a blog post. Once I submit that post, it would show the thumbnail of that specific image with the ID 12. I originally started to look at doing it this way (but with a different type of image browser + on D6) - Users could browse the images that they had already uploaded to the gallery, but could not upload from within the browser itself. I might revisit this if there is enough interest. /DM The reason why I was asking about referencing an image according to its ID eg. [image:12] is say if I'm writing a blog post or a news article on featuring various photos that users had uploaded on my website. Similar to how Deviantart.com works. Take a look at this link and look how users have inserted the thumbnails of other users artwork: http://news.deviantart.com/article/112631/ Once again, something I would be more than willing to pay for. |
I like the imanager plugin a little better. I'm really surprised that this functionality isn't built into D7. I know it's been mentioned a hundred times or more. All the existing functionality is there... it just needs a tinyMCE plugin to make use of it. My opinions expressed on this site, in no way represent those of Boonex or Boonex employees. |
I kept receiving loads of "security risk" and "security attack stopped" emails.
