HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


How to block off-site urls created by users?

Login / Search

 [ Join | More ]
 Add topic 
Posted
Rating:
#110605 (In Topic #22173)
TQ
Avatar

Honoured member

Hi All,

I have long since wanted to stop users from posting comments/forum posts with off-site url's to protect my users from the risk of being exposed to a 'Bad' site but until now, I have not had cause to pursue this idea.

Today I visited my webmasters site at Google and discovered that my own site was listed with security issues.

Google said

Undetermined malware
These pages directed users to a site that serves malware or unwanted software. Unfortunately, the malicious code within the page could not be isolated.
Not very helpful but at lease I am now aware that I need to look for something.

​I have trawled through 100's of posts and discovered a url to a site that is trying to get MY users to enter their username,  password and email address. Ironically, I discovered this site a few weeks ago and put a news item on my own site warning users of this, unfortunately, I hadn't spotted that someone had already created a link from the forum to this site.

I regularly use url's to point my users to specific places on my own site so I do not want to block those if at all possible but I do want to stop all off-site url's in future.

Is there any way that I could do this?

TQ
Back to the top
 
Posted
Rating:
#110607
Avatar

Hi,

No inbuilt way to do that, but could be hacked up…

In sources/comcode_renderer.php we render out the Comcode tags. Already for URLs we detect externality and have a privilege to inject 'nofollow' to some users. We can play off those.

Below:

Code

         $temp_tpl->attach(do_template('COMCODE_URL',array('_GUID'=>'d1657530e6d3d57e6a4791fb3bfa0dd7','TITLE'=>$title,'REL'=>$rel,'TARGET'=>$attributes['target'],'URL'=>$url_full,'CAPTION'=>$caption)));

Try adding:

Code

// If URL is not local and user hasn't got search_engine_links privilege we'll hackerishly change it so the "link" is actually written out rather than an HTML link
if (!has_specific_permission($source_member,'search_engine_links') && !$local)
{
   $temp_tpl=make_string_tempcode(escape_html($url_full.' ('.$caption->evaluate().')'));
}

Haven't tested it, just straight OTTOMH.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#110609
TQ
Avatar

Honoured member

Thank you Chris,

Should I be copying comcode_renderer.php into sources_custom and doing the edit there (which is what I've done)?

I gave it a go and my test user was able to create clickable urls using the editor URL button and neither admin nor user could create a clickable url if the url was directly pasted onto the page.

TQ
Back to the top
 
Posted
Rating:
#110615
Avatar

sources_custom yes.

However, I didn't consider the WYSIWYG editor. That makes things more complex.

We can force HTML to Comcode conversion for users without the privilege with another code change. This time in sources[_custom]/comcode_from_html.php

After:

Code

function semihtml_to_comcode($semihtml,$force=false)
{
Add:

Code

if (!has_specific_permission(get_member(),'search_engine_links'))
   $force=true;

I really don't like the HTML to Comcode conversion, but if we're just forcing it on non-privileged issues, it may be okay. Only do if you trust they're not doing layout editing within their content.

"neither admin nor user could create a clickable url if the url was directly pasted onto the page" - that's normal for WYSIWYG IIRC.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#110617
TQ
Avatar

Honoured member

Thanks again Chris,

I have made the suggested addition to sources_custom/comcode_from_html.php but it doesn't appear to have worked.

I've checked "Post links that search engines will follow" and that is correctly set for just admins. Could I have missed some other "Privileges" setting that could be overriding it?

Not of much interest to you but I asked Google to rescan my site and I've got the 'All Clear' from them, having removed the link yesterday.

Overall, this is testimony to the robustness of ocP's anti-spam measures that it is the first time in over 3 years someone has managed post anything to the site that would damage it reputation. Thank you so much. I do generally read/check every post made on the site but I'm getting further and further behind as the site becomes more active.

Although I'd prefer an 'Allow off-site links' privilege I'm wondering if it would be best if I disable the WYSIWYG editor. Maybe you would consider an 'Enable WYSIWYG editor' privilege in the future?


TQ
Back to the top
 
Posted
Rating:
#110619
Avatar

Thanks. I might have to take a look then, in my mind it should work.

Although I'd prefer an 'Allow off-site links' privilege I'm wondering if it would be best if I disable the WYSIWYG editor. Maybe you would consider an 'Enable WYSIWYG editor' privilege in the future?

I have no strong opposition to such a privilege, but I don't think it would be genuinely useful. At the end of the day WYSIWYG is just a frontend to Comcode's "semihtml" tag, so really we'd be having a permission that fully stops use of the semihtml tag completely. I suppose we could do that, but it wouldn't be a question of security, as without the "Subject to a more liberal HTML filter" privilege semihtml HTML is white-listed only.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#110621
TQ
Avatar

Honoured member

Chris said

… in my mind it should work
Is sufficient for me to believe that I've done something wrong, I'll check my edits again.

Chris said

… as without the "Subject to a more liberal HTML filter" privilege semihtml HTML is white-listed only
I think I'm suffering from a knee-jerk reaction to my recent situation. I like the ease that the WYSIWYG editor provides even though very, very few of my users take advantage of it.

Could you point me in the direction of any documentation describing the "white-listed only" allowed HTML tag patterns so that I may better understand what's going on behind the scenes.

Thank you.

TQ
Back to the top
 
Posted
Rating:
#110625
Avatar

Could you point me in the direction of any documentation describing the "white-listed only" allowed HTML tag patterns so that I may better understand what's going on behind the scenes.

Sorry can't, as there aren't any. But basically – anything the WYSIWYG is likely to create.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#110629
Avatar

I took a look, it was actually an ocPortal bug stopping it working, in our HTML to Comcode conversion.

This diff needs applying:

Code

diff --git a/sources/comcode_from_html.php b/sources/comcode_from_html.php
index a21a207..b637373 100755
--- a/sources/comcode_from_html.php
+++ b/sources/comcode_from_html.php
@@ -963,7 +963,7 @@ function array_html_preg_replace($element,$array,$semihtml)
                foreach ($array as $temp)
                {
                        list($pattern,$replacement)=$temp;
-                       $semihtml=preg_replace(str_replace('$','',str_replace('^','',$pattern)),$replacement,$semihtml);
+                       $semihtml=preg_replace(str_replace('$#','#',str_replace('#^','#',$pattern)),$replacement,$semihtml);
                }
                return $semihtml;
        }

i.e. change:

Code

$semihtml=preg_replace(str_replace('$','',str_replace('^','',$pattern)),$replacement,$semihtml);
to

Code

$semihtml=preg_replace(str_replace('$#','#',str_replace('#^','#',$pattern)),$replacement,$semihtml);


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#110631
Avatar

Hmm, I say that, but actually I don't think that bug exists in the latest build, just if this hotfix was applied 0002105: Slow-down for large Wiki+ pages - ocPortal feature tracker
I'll update the hotfix.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#110638
TQ
Avatar

Honoured member

Thank you Chris,

I had already applied the hot-fix but with the amended code the off-site url's now perform as predicted.

At this point the matter is closed but if anyone other than me sees value in this idea ie. stop users posting off-site url's, and in a perfect world, this would be my suggested solution.
  1. A method of enabling/disabling off-site url posting.
  2. If a user tried to do so, a message box would be presented when the Add Topic or Make Post button was clicked saying something like 'You are not permitted to post off-site links'
  3. Once the message box is closed, one of 3 things would happen:
    (i) The link would be entirely removed and the post made.
    (ii)The link would be hidden (visible only to administrators for analysis).
    (iii) The user would be returned to the editor so that they could remove the link.
As I said, I am entirely happy with the current result but I'm curious to know why no one else has asked for something like this. After all, it would also stop spammers from posting adverts to their 'shoe/drug' site or at least deter them (not that I have this problem myself as ocP does an excellent job of keeping them out).

Maybe I'm just paranoid because I run a low bandwidth server which emphasises just how many people/companies try to break or abuse my site for their own enjoyment/gain on a daily basis.

On reflection, I know how I was suckered! The perpetrator of my problem posted a link like http://example.com/how-I-fixed-my-xxx-radio-problem (I run a radio programming site) which was sufficiently well engineered to sucker me into overlooking the url. I should have known better, it linked to a phishing site which was custom built to get my users name/password/email address!

Thanks again Chris, very much appreciated.

TQ
Back to the top
 
1 guests and 0 members have just viewed this: None
Control functions:

Quick reply   Contract

Your name:
Your message: