HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


Usergroup permissions are breaking PayPal Forum code

Login / Search

 [ Join | More ]
 Add topic 
Posted
Rating:
#109716 (In Topic #21702)
Avatar

Fan in action

Hi all,

On our forum, we have a superuser who creates a post and they add some code from PayPal to add a drop down and Buy Now button.

We then have another usergroup called Organizer with lesser permissions which is required to modify the same post the PayPal code is in (they don't modify the PayPal parts).  Every time they modify the post, some of the PayPal code is automatically changed, and it no longer functions.  For instance form action tags are changed to span action tags.

When a superuser edits the post, nothing is changed/impacted, and everything still works.

Is there a permission setting I can change so my Organizer Usergroup doesn't unwillingly and automatically change the PayPal code?  Where do I go, what do I change?  

Thanks
Back to the top
 
Posted
Rating:
#109718
Avatar

Yes, it's the "Use unrestricted markup that could be abused for XSS attacks" privilege.

Forms are pretty dangerous, as they can be used to direct a broader category of CSRF attacks between sites.

It's safe to give the permission if you trust the members not to explicitly place dangerous code.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#109720
Avatar

Fan in action

Chris Graham said

Yes, it's the "Use unrestricted markup that could be abused for XSS attacks" privilege.

Forms are pretty dangerous, as they can be used to direct a broader category of CSRF attacks between sites.

It's safe to give the permission if you trust the members not to explicitly place dangerous code.

It's only a small group of trusted people who would have the ability to do this.  Can you tell me how to get to that setting please?
Back to the top
 
Posted
Rating:
#109721
Avatar

Put it into the admin search in quotes and it will take you to it.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#109974
Avatar

Fan in action

Thanks Chris,

I tried assigning this permission to the Organizer usergroup mentioned in the first post, but after having them test by editing the post containing the PayPal code, it still breaks it.

Any other ideas?
Back to the top
 
Posted
Rating:
#109981
Avatar

Also make sure they have the "Subject to a more liberal HTML filter" privilege and the "Convert XHTML to Comcode" option is off.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#109991
Avatar

Fan in action

Chris Graham said

Also make sure they have the "Subject to a more liberal HTML filter" privilege and the "Convert XHTML to Comcode" option is off.

Thanks for your help.

"Subject to a more liberal HTML filter" was already checked for the Organizer usergroup.

"Convert XHTML to Comcode" was not off as you suggested.  However, this seems to be a global privilege, so its not something that would have been different between the Organizer & Superuser usergroups.  That said, I've turned it off, had an Organizer test again, but it hasn't resolved the issue.

Any other ideas?
Back to the top
 
Posted
Rating:
#109997
Avatar

On analysing the code I can see that:

  1. "Avoid broad input filtering security layer" privilege needs to be granted.
  2. Check you didn't remove the original user from the superuser usergroup you expected them in. If ocPortal seems a user is editing something by a user without "Use unrestricted markup that could be abused for XSS attacks" then it edits with the credentials of that lesser privileged user. That's to stop sneaky social engineering attacks when content is later edited (i.e. unwittingly causing code execution via admin credentials).


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#109999
Avatar

Currently improved documentation is being written for Composr/v10, and the functionality is the same as v9. As I can see much clearer documentation is needed, I just polished this bit off. Here we go…


Comcode Security

A great deal of emphasis is placed on making sure Comcode is secure, as Comcode is available to all members of a Composr website.

There's essentially a 5-tier distinction you should keep in mind:
  1. Totally untrusted random users
  2. Somewhat trusted users who you still don't really know well
  3. Trusted users who you are happy to trust to not explicitly go out of their way to find sneaky ways to subvert access controls
  4. Staff trusted with almost all access who you are happy to trust to not explicitly go out of their way to find sneaky ways to subvert the highest level of access controls (typically super-moderators)
  5. Staff trusted with full access (super-administrators) [on this level you can't limit privileges, all privileges are automatically granted]

The following privileges impact Comcode permissions (referencing the tiers above)…
Privilege Codename Tier Purpose
Use potentially-troublesome Comcode comcode_nuisance 2 This privilege currently doesn't do anything, but we reserve it for the future.
Subject to a more liberal HTML filter allow_html 2 Instead of only whitelisting HTML, it applies a blacklist †.
Avoid broad input filtering security layer unfiltered_input 3 This bypasses the rough supplementary filtering that applies to all Composr requests.
Use unrestricted markup that could be abused for XSS attacks use_very_dangerous_comcode 3 This allows dangerous HTML code to be posted within Comcode ††.
Use dangerous Comcode comcode_dangerous 4 Allow use of things such as [block] tags, allowing arbitrary Admin Zone access (e.g. by embedding an Admin module on the front-end of the website)


† There are two alternative security filters available in Composr:
  1. The whitelist filter. This is the most secure filter, and is used by default. It only allows certain HTML fragments to be used (fragments likely to be produced via usage of the WYSIWYG editor).
  2. The blacklist filter. This is designed for high security, filtering out anything it sees as dangerous. At this level you are trusting the user won't and can't find a security hole in the sophisticated blacklist filter.

†† Very dangerous code includes:
  • JavaScript code (reason: code can be malicious, for example steal cookies)
  • CSS code rules block (style element) (reason: style changes can be used to deceive a visitor)
  • Code to embed external files, such as JavaScript, CSS, applets, or browser plugins (reason: external code can either be malicious or adjust existing code to be malicious)
  • Meta tags (reason: could inkect the authorisation needed for taking over the Google Webmaster Tools, for example)
  • Code to change the overall page document structure (reason: can significantly change how the browser processes the page)
There are sophisticated mechanisms in Comcode to maintain this security, such as ones to stop JavaScript-powered URLs, and ones to stop people trying to using HTML entities to bypass JavaScript filtering.

Edited content

Comcode is interpreted with particular access credentials. When added, obviously this is the level of the submitter. When editing then the situation is more complex:
  • We set the access credentials to that of the editing user (not the content owner) if the editing user does not have all of "Subject to a more liberal HTML filter" and "Use unrestricted markup that could be abused for XSS attacks" and "Use dangerous Comcode".
  • Otherwise, we set the access credentials that of the content owner.

These rules uphold the following 3 principles:
  1. A non-admin who has permission to edit something an admin posted (e.g. a moderator) should not be able to edit under the credentials of the admin.
  2. An admin should not be tricked into raising the access level of some Comcode when they think they are just correcting typos. A hacker could have left some dangerous (but subtle) "bombs" in their Comcode.
  3. In general we want to maintain editing under the same credentials as the original user to keep things consistent.

In other words: we pick the lowest access credentials with a bias to the editing user if the status is mixed and a bias to the content owner otherwise.

Note that "Avoid broad input filtering security layer" happens on the input layer, not the Comcode layer, so always runs based on the credentials of the editing user. Don't worry about this though because it's an additional layer of security, not the primary layer.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#110408
Avatar

Fan in training

Hi CHris and thanks for your help, I take over regarding this problem. TO be honest with you, I don't get what you posted on September 16th.

I saw an option about adding a catalogue field on the usergroup section. What does that means? Could it help for the problem we have with our paypal button?
Back to the top
 
Posted
Rating:
#110410
Avatar

If you don't understand all the privileges, or don't want to assign the more dangerous ones to user's editing this content, another approach would be to make a custom Comcode tag that contains the PayPal button, and then place that tag on the page.

That way the button code is encapsulated within the tag, rather than the page itself, so there's no security issue with needing to be able to post HTML forms.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#110412
Avatar

Fan in training

How can I create a custom comcode? Do you have a tutorial or link information about it?
Back to the top
 
Posted
Rating:
#110414
Avatar

Here's one

https://github.com/ocproducts/composr/blob/master/docs/pages/comcode_custom/EN/tut_adv_comcode.txt

Read from line 99.

It's not ideal to read the raw Comcode from a Composr v10 tutorial, but we've been improving our docs a lot for the next version and I think that's the best official explanation at the moment.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#110415
Avatar

Fan in training

Ok I'll test it out! Is it possible to change the font of the comcode?
Back to the top
 
Posted
Rating:
#110443
Avatar

Fan in training

The custom comcode works perfectly!

Can I change the default font from the comcode box?
Back to the top
 
Posted
Rating:
#110445
Avatar

Great. Could you post that question in a separate topic please, and just make clear what you mean. You may be referring to what is used if no font is chosen (which would be a pure CSS change), or you may be talking about the font selection within CKEditor WYSIWYG, of you may be talking about the font selection within the Comcode editor (when WYSIWYG is off).


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
There are too many online users to list.
Control functions:

Quick reply   Contract

Your name:
Your message: