TinyMCE editor in profiles description?

Is it possible to implement tinyMCE for the profiles description input box?

Many Thanks

Andy

6.1.2

I thought this one might be relativly easy?

See this and other threads: http://www.boonex.com/unity/forums/#topic/Adding-HTML-link-in-profile.htm

I'm just getting back to this after a series of setbacks.  The other thread I posted seems to be more related to putting an html field in a profile field- and there seems to be a mod / solution for that.  Is there a solution for getting TinyMCE in the DescriptionMe field.  From other discussions, it seems like it can be done, but the discussions are fragmented.  Does anyone have step-by-step instructions on how to do this?

Thanks

Rob

Could someone give me the definitive answer on this?  I may have confused this issue myself by addressing it in a thread that was discussing how to add a clickable link in a profile field- an easier issue.  Can a TinyMCE field be added to a profile field?  Can it be done by mere mortals?  If there is a mod, or some kind of step-by-step instructions somewhere please let me know.

Thanks

Rob

Anyone?  I'm just wondering if there is a mod, or good procedure write-up for this?   Also, if any of the Boonex guys - or anyone with inside information could tell us if this is in the works for 6.2?  If the mod is too complicated I might just wait but I do want this feature.

Thanks

Rob

OK - I will give up on trying to get an answer to this one here, but could someone just tell me if ANYONE has done it- EVER?  At this point, I just want to know if it is possible, plus if any of the Boonex guys know if it is coming in the next version?

Thanks

Rob

TinyMCE on Description Me is possible...

Hi Caltrade

Yes there are a few mods at Expertzzz.com that integrate TinyMCE with the Description box.

Some of them are I think even free.

Problem is that they are to one degree or another unsafe as once you allow people to post html you have to have an intelligent filtering system that wont allow damaging scripts.

No one seems to have a perfect solution to this yet.

And because of all the rescent security attacks I think everyone is scared to allow any more security holes - even if they are to get an essential functionality like html in profiles !

Im not sure all these mods involve TinyMCE and the Description field but I think some do

I have one functioning on a 60003 setup but I am looking at how to do it again on the latest DOlphin.

I installed nycarpenters protection mod after installing the allow html mod and it seemed a pretty good system.

http://www.expertzzz.com/Dowloadz/view/1208
Safe Profiles HTML
gfscott

http://www.expertzzz.com/Downloadz/view/2233
ALLOW HTML - STOP XSS - JAVASCRIPTS
nycarpenter

http://www.expertzzz.com/Downloadz/view/980
HTML CSS Dolphin 6.X
PenNPixels

http://www.expertzzz.com/Downloadz/view/3513
HTML for profile descriptions
praveenkv1988

HTML-CSS Mega Pack
http://www.expertzzz.com/Downloadz/view/1739
PENandPIXELS  $15

http://www.expertzzz.com/Downloadz/view/3431

NyCarpenter

I will continue to push this issue too as I really cant live without this functionality.

Wow that thread you link to had a lot of info.

That didnt sort it out in the end?

Thanks

Dan V

BirdTribes - good job in compiling this list- have you tried any of these yet?  Okweb, are you going to tease us, or are you going to tell us how it is done?

-

Thanks

-

Rob

Hi Rob

If you will use TineMCEMini on Description Me you have to Uncheck Mandatory and Minimum Value have to be blank,
it can't be used together with TinyMce.

When you add a new TextArea item inside Fields builder it will now always use TinyMCEMini.

TinyMCEMini and 'Description Me'
==========================

Builders/Fields Builder/Join Form
- Description Me => General => Edit text inside Description to: Describe yourself in a few words. => SAVE
- Description Me => Advanced => Mandatory: Unchecked AND Minimum value: blank => SAVE

HTML inside Browse and Search
-----------------------------

Edit file: inc/members.inc.php

Find:
 $i_am_desc = process_smiles( strip_tags( process_html_output( $p_arr['DescriptionMe'] ), '<img>' ) ) . "...";

Edit to:
 //$i_am_desc = process_smiles( strip_tags( process_html_output( $p_arr['DescriptionMe'] ), '<img>' ) ) . "...";
 $i_am_desc = process_smiles(process_html_output($p_arr['DescriptionMe']), '<img>' ) . "";

----------------
Find:
 $i_am_desc2 = process_smiles( strip_tags( process_html_output( $aCoupleInfo['DescriptionMe'] ), '<img>' ) ) . "...";

Edit to:
 //$i_am_desc2 = process_smiles( strip_tags( process_html_output( $aCoupleInfo['DescriptionMe'] ), '<img>' ) ) . "...";
 $i_am_desc2 = process_smiles(process_html_output( $aCoupleInfo['DescriptionMe'] ), '<img>' ) . "";
 

HTML inside Profile view
------------------------

Edit file: inc/classes/BxDolProfileFields.php

Find: function getViewableValue( $aItem, $sValue )

and code:
 switch( $aItem['Type'] ) {
   case 'text':
   case 'num':
   case 'area'
                return nl2br(htmlspecialchars_adv($sValue));

edit to:
 switch( $aItem['Type'] ) {
   case 'text':
   case 'num':
   case 'area':
                   return process_smiles( process_html_output($sValue));
                   //return nl2br(htmlspecialchars_adv($sValue));

HTML inside Join Now:
=====================

Edit file: join.php

Find:
      $_page['name_index'] = 3;
      $_page['css_name']   = 'join.css';

Edit to:
     $_page['name_index'] = 3;
     $_page['css_name']   = 'join.css';
     $_page['extra_js'] = $oTemplConfig -> sTinyMceEditorMiniJS;

------------------------------------------------------------------

Edit file: templates/base/scripts/BxBaseFormView.php

Find: function insertInput( $aInput )

and code:
 case 'area':
                 $sCode = '<textarea class="input_area" name="' . $aInput['Name'] . '">' .
                 $this -> value2html( $aInput['Value'] ) .
                 '</textarea>';
  break;

Edit to:
 case 'area':
                 $sCode = '<textarea class="classfiedsTextArea" name="' . $aInput['Name'] . '">' .
                 $this -> value2html( $aInput['Value'] ) .
                 '</textarea><br />';
 break;
------------------
and code:
 case 'Captcha':
        $sCode = '<img src="' . $site['url'] . 'simg/simg.php" class="form_captcha" /><br /><br />
        <input type="text" class="input_text" maxlength="6" name="Captcha" />';
        break;

Edit to:
 case 'Captcha':

   $sCode = '<br /><img src="' . $site['url'] . 'simg/simg.php" class="form_captcha" /><br /><br />
   <input type="text" class="input_text" maxlength="6" name="Captcha" />';
  break;

--------------------------------------------------

Edit file: templates/tmpl_uni/css/join.css

Find:
 #join_form_table {
 /*width: 100%;*/
 margin-left: auto;
 margin-right: auto;
 border-top: 1px solid #CCCCCC;
 border-left: 1px solid #CCCCCC;
 border-bottom: 1px solid #CCCCCC;
 }

Edit to:
 #join_form_table {
 /*width: 100%;*/
 margin-left: auto;
 margin-right: auto;
 border-top: 1px solid #CCCCCC;
 border-left: 1px solid #CCCCCC;
 border-right: 1px solid #CCCCCC;
 border-bottom: 1px solid #CCCCCC;
 }

----------

Find:
 #join_form_table td,
        #join_form_table th {
  padding: 5px;
  border-right: 1px solid #CCCCCC;
  vertical-align: middle;
 }

Edit to:
 #join_form_table td {
  padding: 0px;
  vertical-align: middle;
 }

 #join_form_table th {
  padding: 6px;
  vertical-align: middle;
 }

----------

Find:
 .input_text,
 .input_date,
 .input_area,
 .input_pass,
 .input_select,
 .input_select_couple,
 .input_select_multi
 {
  background-image: url( ../images/body_backgr.gif );
  border: 1px solid #999999;
  width: 240px;
  margin-right: 5px;
 }

Edit to:
 .input_text,
 .input_date,
 .input_area,
 .input_pass,
 .input_select,
 .input_select_couple,
 .input_select_multi
 {
  background-image: url( ../images/body_backgr.gif );
  border: 1px solid #999999;
  width: 265px;
  margin-right: 5px;
 }
-----------------------------------------------------

HTML inside Edit profile:
=========================

Edit file: pedit.php

Find:
      $_page['name_index'] = 25;
      $_page['css_name']   = 'pedit.css';

Edit to:
     $_page['name_index'] = 25;
     $_page['css_name']   = 'pedit.css';
     $_page['extra_js'] = $oTemplConfig -> sTinyMceEditorMiniJS;

------------------------------------------------------

Edit file: templates/tmpl_uni/css/pedit.css

Find:
 #edit_form_table {
 /*width: 100%;*/
 margin-left: auto;
 margin-right: auto;
 border-top: 1px solid #CCCCCC;
 border-left: 1px solid #CCCCCC;
 border-bottom: 1px solid #CCCCCC;
 }

Edit to:
 #edit_form_table {
 /*width: 100%;*/
 margin-left: auto;
 margin-right: auto;
 border-top: 1px solid #CCCCCC;
 border-left: 1px solid #CCCCCC;
 border-right: 1px solid #CCCCCC;
 border-bottom: 1px solid #CCCCCC;
 }

----------

Find:
 #edit_form_table td,
        #edit_form_table th {
  padding: 5px;
  border-right: 1px solid #CCCCCC;
  vertical-align: middle;
 }

Edit to:
 #edit_form_table td {
  padding: 0px;
  vertical-align: middle;
 }

 #edit_form_table th {
  padding: 6px;
  vertical-align: middle;
 }

----------

Find:
 .input_text,
 .input_date,
 .input_area,
 .input_pass,
 .input_select,
 .input_select_couple,
 .input_select_multi
 {
  background-image: url( ../images/body_backgr.gif );
  border: 1px solid #999999;
  width: 240px;
  margin-right: 5px;
 } 

Edit to:
 .input_text,
 .input_date,
 .input_area,
 .input_pass,
 .input_select,
 .input_select_couple,
 .input_select_multi
 {
  background-image: url( ../images/body_backgr.gif );
  border: 1px solid #999999;
  width: 265px;
  margin-right: 5px;
 }
------------------------------------------------------

 DONE!!

Once again Okweb shoots, and scores!   I can't wait to try this.   Could you tell me can this procedure be done if there is pre-existing text data in the "DescriptionMe" field.  Also, are there any security implications?  Thanks a bunch for sharing this okweb.

-

Rob

Hi Rob

Text data in the "DescriptionMe" field before adding this will show up like text.

Not looked at security issue!!

Will always be there!

Your right you obviously didn't think about security. :(  This opens your site wide open to XSS attacks.  The html must be passed through safehtml, then all is good! :)

Obviously he just said that he didn't - one post above yours, all you had to do was read it.   Does anyone have any thoughts on how to make this secure?  How is this different from the blogs, or the classifieds or the other areas where users can edit TinyMCE content?

Well, if you read my post you'll know what is the difference, it needs to be passed through safehtml.

You can stop sending threats by PM Topher -  I interpreted your post as trying to discredit okweb's work after the security issue had already been brought up twice and open to discussion.  I understood that you had already left this forum so it seemed like you had only come back to throw rocks.  If you want to contribute then why don't you just show some code fixes on okweb's procedure - or express why it shouldn't be done, whatever - I don't think anyone here wants more drama for the time being.

My mail to CALTRADE:

Double that thanks to OKAYWEB for all of his help.

Arthur

Thanks for this... I had a database with html profiles, and was thinking about stripping out the markup until i found this solution. I probably will not enable the tinymce editor until i understand the security risks.

I imagine anyone migrating from older dolphin versions with any html profiles would need this fix at least to display the profiles properly.

Cheerz

Earlier versions of Dolphin had html profiles?  Why did they get rid of it?  BirdTribes had already researched and posted the links above to a number of mods that either provide safe html or say they make html used in profile safe- but I have no idea which ones are good.  It would be nice if this procedure could be made secure- I would really like this for my site.

I followed OKweb's instructions and it worked great.  Could not change the text size so presume that is dictacted by the general css file?  Also, tried to add the html code of a  banner but that did not show up .  Any suggestions on how to get that to work

Could someone tell me what the nature of the security threat is here?  I am mostly curious as to whether it is internal or external.  In other words, is the danger that someone from inside your site could do something damaging, or is their a danger that someone from outside your site could do something damaging.  I am much more concerned about a non-member being able to do some harm.

Hi Rob

Internal or external, more secure to use internal(logged in)

I read one place, 70-80% of web site who is is hacked, is hacked by XSS attacks,

so it's a bigger issue that I thought it was.

1. A visitor to your website can simply disable JavaScript and bypass all of TinyMCE's security features.

2. Hackers and spammers can write scripts hosted on their own servers that submit bogus data to your FORM's target destination. Thus completely bypassing TinyMCE's security features.

3. TinyMCE does not protect against MySQL injection attacks.

-----

- You need to fix, if a visitor has disabled JavaScript, the TEXTAREA will not exist.

- You have to define what tags and tag attributes are allowed by TinyMCE (extended_valid_elements)

- Then you need to create a secure backend with us of ex. safehtml and filter out all the same baddies that TinyMCE does. This is duplication of effort, but it is needed.

You can read more here

Ottar.

Does anyone have any thoughts on how this mod can be "hardened"? - even if it results in the loss of some TinyMCE functions.  I would like to use this mod, but naturally also want it to be reasonably secure.

-

Thanks

-

Rob

-

Update:  To clarify what I think okweb is saying, I would still like the profiles to be visible to non-members- so whatever anyone can come up with would have to be secure to external attacks.

My only obeservation, and I am sure that someone will disagree, is that all content coming through forms needs to be parsed as get or post method.  It doesn't matter whether the form originates as a tinyMice content as part of textarea or not.   If you have a way to screen and filter WHILE you parse the content, you can eliminate most of the threats.

This is not true of mysql, which has its own challenges.  But, you can make a good effort to prevent problems by passing the data in your SQL statements through proper preventions.

I do not want to post the solutions I use on an open forum, but you can contact me directly and we can trade notes on parsing GET and POST to prevent spam and hacks via your forms.

For example, okweb says "A visitor to your website can simply disable JavaScript and bypass all of TinyMCE's security features."   That may be true, but in order to do that, the hacker must use a statement that can be detected while parsing the GET or POST method content. Setting up screens at that level can help prevent the issue.

Arthur

Thanks Arthur, I do think most people here use mysql though, but I would be interested in learning about your solution.  Also, no one ever answered- how is this different from the blogs, forum posts or classifieds, which also use TinyMCE - is this less secure then those?

-

Rob

Just a quick question....

Im interested in only

HTML inside Edit profile:---> do I need to edit the rest to get html only in edit profiles?Maybe also view profile part??

Please let me know.

Nurke