Smilies Not Working In Forum Post

This is the place to report bugs and get support. When posting in this forum, please always provide as much detail as possible.

Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum, do not report it as a bug.

This is the place to report bugs and get support

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.
Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum.
This thread is closed to new posts. You must sign in to post in the forums.
4/29/2008 12:36:34 PM
Gravatar
Total Posts 48

Smilies Not Working In Forum Post

Hi,

I usually add a smiley to my posts but they never seem to show... checked it in both IE7 and my main browser Firefox and both show nothing. Just thought I'd let you know.

Cheers,

Reiss [ ]

P.s. I added one of each smilie above in the brackets and none are showing

4/30/2008 12:58:16 PM
Gravatar
Total Posts 18439

Re: Smilies Not Working In Forum Post

Hi,

This seems to be caused by the use of NeatHtml to prevent cross site scripting.

At first I thought it was because the smileys are being served from beneath the ClientScript folder and I thought maybe the word script as part of the path was triggering some blocking, but I tried moving the smileys to a different location and still get the same result.

Hopefully Dean Brettle (the author of NeatHtml) will see this post and offer a solution or suggestion.

Dean, are images not allowed in untrusted content?

Thanks,

Joe

5/12/2008 3:22:59 PM
Gravatar
Total Posts 148

Re: Smilies Not Working In Forum Post

Sorry for the delayed response.  I've been on vacation and offline for the last couple weeks.

By default, NeatHtml does not allow images in untrusted content because they can be used to launch automated Cross Site Request Forgery (CSRF) attacks.  It is possible to add some javascript to the page to allow images in untrusted content for users that have scripting enabled.  However, I'm currently working on adding more direct support for images (including for users with scripting disabled) by adding a TrustedImageURLPattern property to the UntrustedContent control.  I hope to have that completed sometime this week.

 

5/13/2008 7:11:57 AM
Gravatar
Total Posts 18439

Re: Smilies Not Working In Forum Post

Thanks Dean.

I don't see this as an urgent issue so just let me know when you've completed those enhancements and I'll upgrade to your new version of NeatHtml.

Best,

Joe

5/20/2008 12:54:47 PM
Gravatar
Total Posts 148

Re: Smilies Not Working In Forum Post

FYI, this is now fixed in the latest NeatHtml release (NeatHtml-trunk.213.zip).  You'll need to specify the TrustedImageUrlPattern property of the UntrustedContent control to get it to work.  See the Displaying images section of the manual for details.  You might want to use a theme to specify the TrustedImageUrlPattern in only one place.

--Dean

 

5/21/2008 7:53:40 AM
Gravatar
Total Posts 18439

Re: Smilies Not Working In Forum Post

Hey Dean,

I posted a bug in your forum for the new version. It seems the TrustedImageUrlPattern must be set or an error occurs in mojoPortal. Its not a serious bug because I can set it everywhere its used, but seems it should not error without making a specific setting. Also if there is any mistake in the regex pattern it throws an error. Maybe this is what it should do but maybe it should just fall back to not allowing images or display a message like it does if it can't find the .js file.

Also, I'm not the best at regex expressions was wondering if you could illustrate a pattern for allowing any images from any site and a pattern that allows images only from within the site?

For example, in the Community Blogs page (RSS Aggregator), I'd like to allow all images because I'm only aggregating relatively trusted feeds.

In the Forums, I'd like to allow images from anywhere within the site, but not external.

Thanks,

Joe

5/21/2008 9:57:02 AM
Gravatar
Total Posts 18439

Re: Smilies Not Working In Forum Post

Nevermind, I managed to come up with the regex patterns I wanted.

Thanks,

Joe

5/21/2008 12:17:06 PM
Gravatar
Total Posts 18439

Re: Smilies Not Working In Forum Post

Smilies are working again. Thanks Dean!

5/21/2008 8:59:54 PM
Gravatar
Total Posts 148

Re: Smilies Not Working In Forum Post

Thanks for the bug report Joe. It's fixed now. Also, I've added some example regular expressions to the documentation to address the cases you mentioned.  Out of curiosity, did you set the TrustedImageUrlPattern property for all of the UntrustedContent elements or did you use a theme to set them?

 

5/22/2008 1:19:05 PM
Gravatar
Total Posts 18439

Re: Smilies Not Working In Forum Post

Hi Dean,

No, I went through and found each use and set it either declaratively or in code. For the RSS Aggregastor I added a module setting whether to allow external images. For the forum and blog comments I only allow relative image urls.

To me, while it is possible to set non visual properties on server controls using theme.skin, I think its not a great idea particularly for security settings. theme.skin files are conceptually for visual styling. It would be a maintenance problem to go through all the skins in mojoPortal and add this setting and also people who already have custom skins would not benefit from the security because their theme.skin file would not have this setting. So it seems a problem to lose security if the skin is changed and therefore doesn't seem like a great practice to use it for the UntrustedContent control.

When 2.0 .NET came out, I went to great efforts to be able to relocate the theme.skin file into the site specific skin folders instead of the App_Themes folder and finally got it working. But since then I have realized that theme.skin is really not a good way to set visual properties either because it creates inline style in the markup and bulks up the size of the page. So really at most its useful for setting css classes.

The only other good use I found for theme.skin is for a CornerRounderTop and CornerRounderBottom controls which just  renders extra divs that can be used in conjunction with css to style rounded corners. I use a theme.skin property to tell the control whether to render or not so if the skin doesn't use corner rounding the extra markup can be left out.

The other issues I've been contemplating about untrusted content is how to allow untrusted users to post rich content like YouTube videos, Flash, etc. Currently in mojoPortal users who have access to the Html module are considered trusted whereas forums and blog comments are not. So in the Html module its possible to add YouTube videos etc. It seems some would like to use mojoPortal to build social sites where users can create all kinds of content and may not be particularly trusted. So the challenge sems to be infiguring out a right balance that doesn't allow the site to become a malware playground like MySpace yet still enables rich social interaction and content.

Best,

Joe

5/22/2008 2:36:02 PM
Gravatar
Total Posts 148

Re: Smilies Not Working In Forum Post

Your rationale for not using themes for this seems reasonable to me.  Thanks for the explanation.

As for allowing untrusted Flash, I don't think that can be done securely for arbitrary Flash.  Flash can make HTTP requests so it can be used to for XSS attacks just like JavaScript.  If you wanted to trust particular Flash animations (e.g. a particular movie player), there could be a TrustedObjectUrlPattern property.  Actually, if you are going to trust particular Flash animations, you might as well trust particular JavaScript files and iframes with particular HTML files.  So perhaps, what is needed is a general TrustedUrlPattern property that, if set, allows untrusted content to contain object/embed/iframe/script tags with URLs that match the pattern.  That would be in addition to the TrustedImageUrlPattern, since presumably most sites that are willing to sacrifice some CSRF-security to allow images don't want to sacrifice XSS-security too.

 

5/22/2008 5:52:17 PM
Gravatar
Total Posts 148

Re: Smilies Not Working In Forum Post

On a related note, if you want to allow scripts, you might want to look into Caja.  The main downside from your perspective is that the current Javascript->Caja translator is written in Java (though there is an online translator).  However, if mojoPortal sites want to allow existing Caja scripts on their pages, you could support that without needing to use Java.

Also, since you mentioned social sites, you might want to look at OpenSocial.

 

5/23/2008 7:21:32 AM
Gravatar
Total Posts 18439

Re: Smilies Not Working In Forum Post

Open Social is definitely on my radar, though to some extent I think the social web stuff is mostly time wasting applications like silly vampire games. I do think getting all contacts syncronized across different sites is useful and some of the activity stream stuff is ok, but mostly what people do on Facebook, MySpace, etc is waste time and I think the next bubble will be because we wasted a lot of time developing time wasting apps. LinkedIn and Plaxo are more moderate and don't have as many time wasting things but apparently people love to waste time and therefore Facebook and MySpace are more popular and now all these venture cap folks are putting a lot of effort into helping people waste their time more effectively. Sooner or later that bubble will pop.

But people do want to build social sites with mojoPortal and it poses some challenges. Currently if a user has permission to create pages and put features on them, that user is generally been given a good deal of trust and is considered a trusted user. But in social sites its like they want anyone who registered to be able to create pages and add content under their own little node of the site. So in this case there is no particular reason to trust these users and yet we still want to grant them the power to create pages and put features on them as if we trusted them. And they want all the bells and whistles like Flash and Video. So to support this kind of site I think we do need more ways to limit the possible damage. Caja, looks like a possible solution, thanks for that as I had not seen it before. I suppose we can also implement specific widgets for things like YouTube or use Open Social, but it seems like no matter what we do there is still a good deal of remaining risk from pulling in rich content from external sources. I think that a lot of organized cyber criminals are making MySpce their playground because it affords so many opportunities for deploying malware and gathering information that can be used in identity theft.

Anyway, I'm ranting, I'll stop now

You must sign in to post in the forums. This thread is closed to new posts.