HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


Member profile tabs not working for me

Login / Search

 [ Join | More ]
 Add topic 
Posted
Rating:
#100757 (In Topic #19777)
Avatar

Fan in training

Trying ocPortal for the second time gives me the same issues as the first time. This time I decided to try and fix the issues.

The issue is that (apart from the 'profile' tab) none of the tabs on the member profile page are working. All are giving me a server error (500) with the error message 'The request was rejected by the HTTP filter. Contact the server administrator.' After some testing the problem seems to be the minus sign in the title that is posted in the url. I guess me hosting provider has URLScan active or someting.

I tried to find the code that is adding the site name to the page name (dividing it with ' - '), bu so far no luck.

Can anybody point me in the right direction?

Back to the top
 
Posted
Rating:
#100758
Avatar

Community saint

500 errors are indicative of a mod_security problem.

Tell your host to whitelist ALL mod_security rule numbers listed here: Configuring mod_security - ocPortal.com .

Do you have a Samsung Galaxy S / Galaxy S II ? If so, why not check out my ScreenFree FM Radio .
Back to the top
 
Posted
Rating:
#100759
Avatar

Thanks temp1024. I was going to reply to this but I got totally side-tracked. I think he is referring to the URLs in AJAX background requests, e.g.:

Code

http://localhost/git/data/snippet.php?snippet=profile_tab&tab=posts&member_id=2&page=members&type=view&id=admin&url=http%3A%2F%2Flocalhost%2Fgit%2Fsite%2Findex.php%3Fpage%3Dmembers%26type%3Dview%26id%3Dadmin%26keep_devtest%3D1&title=admin's%20profile%20%E2%80%93%20(unnamed)&keep_session=1841574357&utheme=default

That's not going to be user edit-able, it is auto-constructed from various data and trying to sanitise it isn't going to work in general. Really the webhost needs to stop thinking that URLs follow some predetermined pattern, no complex system will do that.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#100761
Avatar

Fan in training

Thanks Chris. It is correct I was referring to the URLs in AJAX background requests.

I agree about your webhost remark and I will try to convince my webhost to make the required settings to make this work, but I doubt they will.

In the meantime I will continue to look for the code that constructs this URL, so I can really start to use ocPortal. I understand that this will take unrecommended changes to the code somewhere, but being a profesional software developer myself, I guess I will be able to handle ;)
Back to the top
 
Posted
Rating:
#100762
Avatar

load_snippet function in JAVASCRIPT.tpl appends document title in case the called snippet needs it.

HTML_HEAD.tpl defines the document title.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#100763
Avatar

Community saint

nethyperon said

I will try to convince my webhost to make the required settings to make this work, but I doubt they will.
They might resist initially but they should do it with minimal pushing. All those rules have been confirmed to have an impact of ocPortal.

nethyperon said

In the meantime I will continue to look for the code that constructs this URL, so I can really start to use ocPortal.
If you have received one 500 error, and if it was indeed cased by mod_security, then there is a good chance there will be others, and you will not be able to use ocPortal reliably.

You can try and trigger one of the known scenarios like:

1) Using the Tools PHP Info feature.

2) Saving changes on Admin Zone Configuration Site options page.

3) Using the Translate/re-phrase the software feature.

4) Using the inbuilt template editor to save changes to the JAVASCRIPT.tpl template.

If you get 500 or 403 errors doing any of the above then that confirms that you have a mod_security problem.

Do you have a Samsung Galaxy S / Galaxy S II ? If so, why not check out my ScreenFree FM Radio .
Back to the top
 
Posted
Rating:
#100764
Avatar

Fan in training

Thanks for the feedback.

I see I forgot to mention that my site is running on an IIS based webserver and not on Apache webserver.

I tried most of the mentioned scenarios, but they all work fine. I guess it;s safe to say I can rule out any mod_security problems.

After some more digging in the mentioned url it seems that the problem actually lies in the urlencoded version of the minus sign: %E2%80%93 
Acually the mins sign and these encoded strings do not seem to be the same. My webhost has the issue with the encoded string, but not with the actual minus sign.
Back to the top
 
Posted
Rating:
#100765
Avatar

Community saint

nethyperon said

I see I forgot to mention that my site is running on an IIS based webserver and not on Apache webserver.
Hmmm, that certainly blows my mod_security theory out the water :lol: .

Do you have a Samsung Galaxy S / Galaxy S II ? If so, why not check out my ScreenFree FM Radio .
Back to the top
 
Posted
Rating:
#100767
Avatar

Fan in training

I found the solution to my problem!

The HTML_HEAD.tpl template separates the document title from the site title with a en dash (–). Url encoding in Javascript produces the %E2%80%93 for this en dash, but IIS (or URLScan) doesn't like the en dash.

I changed the template to use a normal dash and now the tab work correctly.

Thanks for the time to point me in the right direction.
Back to the top
 
Posted
Rating:
#100768
Avatar

Good job. I was thinking the same, and I will do a little research on this "URLScan" (it's new to us).


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#100769
Avatar

Ok, so Javascript would have URL encoded the utf-8 character for the HTML ndash entity. If not interpreted as utf-8, the last byte is equivalent to "]". There are examples for URLScan that block "<" and ">" because those are HTML characters used for possible XSS attacks. It may be the server admin also blocked "[" and "]", but I don't know if anything those characters would be used to attack.

(Wow, I think I should get an award for all the Jargon in that explanation)

I will add something to the community docs about URLScan, just so we have something written warning of it. I don't think there's anything we should do at a product level.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#100772
Avatar

Changed my mind ;).

Having utf-8 characters sneaking into URLs is very rare. Usually anything that gets in there has already been cut down to simple ASCII via some other constraint/process in the system.

I just checked the code, and the recommend module, the logo-wizard, the bookmarks module, and the Add-new-page wizard, all have potential utf-8 come through URLs too. However, that is better because it is explicit user data, unlike this where the ndash is not entered by the user.

So, for this particular case, I'll add a workaround.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
There are too many online users to list.
Control functions:

Quick reply   Contract

Your name:
Your message: