HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS. ocPortal 9 is superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


Twitter Embed method for Posts?

Login / Search

 [ Join | More ]
 Add topic 
Posted
Rating:
#98613
Avatar

Community saint

Florida_Owl said

Ok, so it just simply is not working for me.

I created a new topic, selected source editor and used the bbc code, and same result. I used the wysiwyg editor, same result. I used the non wysiwyg editor and get the same result.

Not sure what to do here…….

not using the wysiwyg editor, only the basic editor.


http://digiflash.nl Photo community  (dutch)
Back to the top
 
Posted
Rating:
#98614
Avatar

Honoured member

Chris Graham said

When I next update your site, it will include my fix to disable the browser feature.

I don't know if SMF disables the feature too already, or if somehow it posts things via redirects which avoids it being triggered.

But definitely that error is what I got, and I was able to make it work via my fix and/or reloading after posting.

Harry's site works though…that is what has me puzzled. Shouldn't need to address anything? Is there a security setting I am overlooking perhaps in the control panel?

Back to the top
 
Posted
Rating:
#98615
Avatar

Community saint

This is the code I used the get this working, bur remove all the unneccessery html from the embed code before.

Code

<blockquote class="twitter-tweet" data-partner="tweetdeck"><a href="https://twitter.com/cameralandnl/statuses/355370920577216512">July 11, 2013</a></blockquote><script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script>

Original code:

Code

<blockquote class="twitter-tweet" data-partner="tweetdeck"><p>Portretfotografie, iets voor jou ??&#10;&#10;Foto Gonzalo Ramos  &#10;Info- Camera- E-300 Focal Length -150mm &#10;Shutter... <a href="http://t.co/gNLS0mNaFA">http://t.co/gNLS0mNaFA</a></p>&mdash; CameraLand NL (@cameralandnl) <a href="https://twitter.com/cameralandnl/statuses/355370920577216512">July 11, 2013</a></blockquote>
<script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script>

Harry


http://digiflash.nl Photo community  (dutch)
Back to the top
 
Posted
Rating:
#98616
Avatar

Florida_Owl said

Chris Graham said

When I next update your site, it will include my fix to disable the browser feature.

I don't know if SMF disables the feature too already, or if somehow it posts things via redirects which avoids it being triggered.

But definitely that error is what I got, and I was able to make it work via my fix and/or reloading after posting.

Harry's site works though…that is what has me puzzled. Shouldn't need to address anything? Is there a security setting I am overlooking perhaps in the control panel?



The browser security only kicks in when the request contains the code the page is running. i.e. when you initially submit the post to save or preview. The browser doesn't know that you chose to input the code, it thinks it might be what is called a "XSS vulnerability" - when somehow code from the request is unintentionally leaking to the output, leading to a vulnerability.
The fix is to work with the browser, telling it that the Javascript code really was intended for display.


Become a fan of Composr on Facebook or add me as a friend. Add me on on Twitter. Support me on Patreon
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about Composr whenever you see the opportunity or support me on Patreon.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying Composr on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#98617
Avatar

Community saint

oke thanks chris.

btw; have removed the test :)


Last edit: by Harry-S


http://digiflash.nl Photo community  (dutch)
Back to the top
 
Posted
Rating:
#98618
Avatar

Honoured member

Chris Graham said

The browser security only kicks in when the request contains the code the page is running. i.e. when you initially submit the post to save or preview. The browser doesn't know that you chose to input the code, it thinks it might be what is called a "XSS vulnerability" - when somehow code from the request is unintentionally leaking to the output, leading to a vulnerability.
The fix is to work with the browser, telling it that the Javascript code really was intended for display.

Ok, thanks Chris. That makes sense.

Back to the top
 
Posted
Rating:
#99241
Avatar

Honoured member

I noticed that an ADMIN can not edit a Non-ADMIN users post to add the code and have it display properly, is this a bug?



Either way, can it be achieved as to where the correct display will appear?

Back to the top
 
Posted
Item has a rating of 5 (Liked by Chris Graham)  
Rating:
#99245
Avatar

Community saint

Florida_Owl said

I noticed that an ADMIN can not edit a Non-ADMIN users post to add the code and have it display properly, is this a bug?
I doubt it. Seems like a normal security precaution.

The way around that is for the admin to create a custom comcode tag containing the restricted code, give everyone permission to use that tag, then anyone can use that tag in non-admin posts.

Do you have a Samsung Galaxy S / Galaxy S II ? If so, why not check out my ScreenFree FM Radio .
Back to the top
 
Posted
Rating:
#99259
Avatar

I just had a look at the code, and I believe actually it the situation is more complex than temp1024 thinks ;). His solution is a great one though. Another one is our non-bundled "Comcode whitelist" addon, I'll give this a little test soon.

Usually ocPortal does actually grant the evaluation permissions of Comcode according to who has just submitted it, not the content owner. This is intended for the situation you're considering.

However, in fields supporting attachments, it explicitly makes sure it evaluates according to the content owner, as it needs any embedded attachments to be assigned to the content owner.

I will see if we can tweak this. It is an interesting thing though, it might be best as an option as I could see this being exploited by users - chances are most admins would not be smart/careful enough to know how to scan posts they're editing for malicious code, and by editing they would be escalating the permissions the submitted code runs with.


Become a fan of Composr on Facebook or add me as a friend. Add me on on Twitter. Support me on Patreon
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about Composr whenever you see the opportunity or support me on Patreon.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying Composr on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#99263
Avatar

Community saint

I had an idea I'll jump in here with: As an admin you can masquerade as any user could you not masquerade as the user who's post you wish to edit and make the change you wanted then or does that not work either?
Back to the top
 
Posted
Rating:
#99264
Avatar

Duck said

I had an idea I'll jump in here with: As an admin you can masquerade as any user could you not masquerade as the user who's post you wish to edit and make the change you wanted then or does that not work either?

The issue is that the user wants to post the Twitter embed code, but it has Javascript in it. Therefore the user's credentials aren't sufficient.
I am working on it (in fact I have resolved it), but I am just refining my reply right now ;).


Become a fan of Composr on Facebook or add me as a friend. Add me on on Twitter. Support me on Patreon
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about Composr whenever you see the opportunity or support me on Patreon.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying Composr on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#99270
Avatar

Ok, Florida_Owl, I have made a change for you. It will now use the privileges of who is editing the content if the WYSIWYG editor is turned off. If you don't have the WYSIWYG off the software won't have faith you're checking over the member's post correctly.

Additionally I have updated our ocwhitelist addon so it can allow HTML whitelisting. I have put in the Twitter embed code as an example, so it should work out of the box. This is attached:
Attachment
» Download: oc_whitelist-9.x.tar (40 Kb, 97 downloads so far)

(the addon in the addon directory will be updated when we do our next patch release)


Become a fan of Composr on Facebook or add me as a friend. Add me on on Twitter. Support me on Patreon
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about Composr whenever you see the opportunity or support me on Patreon.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying Composr on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#99274
Avatar

Actually, I think this is really unsafe. I think in the real world, people will be admins and not know how to spot XSS, even if the WYSIWYG is off - or just be too busy to check.

Therefore the next patch release will allow this but only if this command is put into OcCLE at some point prior:

Code

:set_value('edit_with_my_comcode_perms','1');


Become a fan of Composr on Facebook or add me as a friend. Add me on on Twitter. Support me on Patreon
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about Composr whenever you see the opportunity or support me on Patreon.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying Composr on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#99275
Avatar

Community saint

Chris Graham said

Actually, I think this is really unsafe. I think in the real world, people will be admins and not know how to spot XSS, even if the WYSIWYG is off - or just be too busy to check.
I don't think it is safe either :( .

Chris Graham said

Therefore the next patch release will allow this but only if this command is put into OcCLE at some point prior:

Code

:set_value('edit_with_my_comcode_perms','1');
I know you want to be helpful Chris, but I don't think this should even be available as OcCLE workaround.

In my opinion it would be just a ticking time-bomb waiting to go off.

Do you have a Samsung Galaxy S / Galaxy S II ? If so, why not check out my ScreenFree FM Radio .
Back to the top
 
Posted
Rating:
#99276
Avatar

I know you want to be helpful Chris, but I don't think this should even be available as OcCLE workaround.

In my opinion it would be just a ticking time-bomb waiting to go off.

It depends. There is a warning against using it in the codebook against the description of it. I can imagine situations where it would be very useful, e.g. if you want to have a news post owned by a certain non-admin user but override to let some special code in just that blog post.


Become a fan of Composr on Facebook or add me as a friend. Add me on on Twitter. Support me on Patreon
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about Composr whenever you see the opportunity or support me on Patreon.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying Composr on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#99279
Avatar

It will now also show a message on top of editing screens giving a severe warning if this hidden option is enabled. That'll teach people to only use it temporarily, or they can disable the message if they're a programmer :lol:.


Become a fan of Composr on Facebook or add me as a friend. Add me on on Twitter. Support me on Patreon
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about Composr whenever you see the opportunity or support me on Patreon.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying Composr on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#99284
Avatar

Honoured member

Thanks Chris, we will install the updated file.
Back to the top
 
Posted
Rating:
#99294
Avatar

Honoured member

Update:

Installed, and it works fine - however…

The quick reply box does not appear after a member posts the Twitter code. In fact there are no reply options:

Back to the top
 
Posted
Rating:
#99296
Avatar

It might be due to that member not having the 'Can double post' privilege.


Become a fan of Composr on Facebook or add me as a friend. Add me on on Twitter. Support me on Patreon
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about Composr whenever you see the opportunity or support me on Patreon.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying Composr on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#99299
Avatar

Honoured member

I don't have it either - as an ADMIN.

Question:

Would a member's "double posting" privilege (which I was not aware was even a setting and will correct) cause everyone else not to be able to post?

If so, we will need to identify people who have this limitation and manually correct them all. That was not available on our former platform as an option; so not sure how it was assigned on import.

Is it a group setting I can adjust for all groups?
Back to the top
 
There are too many online users to list.
Control functions:

Quick reply   Expand