Link to external pictures

This is the place to report bugs and get support. When posting in this forum, please always provide as much detail as possible.

Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum, do not report it as a bug.

This is the place to report bugs and get support

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.
Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum.
This thread is closed to new posts. You must sign in to post in the forums.
4/6/2011 12:46:53 PM
de@iru.ch
Gravatar
Total Posts 30
View Posts

Link to external pictures

Hey Joe (never get's old)

I thought I read somewhere that you disallowed linking to external pictures in forum posts on purpose for "Authenticated Users".

I like!

As demonstrated here it's possible to link to external images. Way to do it:

  1. Insert a smiley
  2. Right click the smiley
  3. Click "Image Properties"
  4. Change the URL to anything you want

To avoid loopholes like this you should do server-side filtering.

Cheers,
Simon

4/6/2011 1:05:47 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Link to external pictures

You are right that somewhere along the way the regex pattern for trusted images got changed from relative urls to any url. I will fix this for the next release but anyone who is concerned about it can fix it now by looking for this in /Forums/Thread.aspx:

<NeatHtml:UntrustedContent ID="UntrustedContent1" runat="server" TrustedImageUrlPattern='<%# allowedImageUrlRegexPattern %>'
ClientScriptUrl="~/ClientScript/NeatHtml.js">
<%# Eval("Post").ToString()%>
</NeatHtml:UntrustedContent>

and change it to this:

<NeatHtml:UntrustedContent ID="UntrustedContent1" runat="server" TrustedImageUrlPattern='^/.*[_a-zA-Z0-9]+\.(png|jpg|jpeg|gif|PNG|JPG|JPEG|GIF)$'
ClientScriptUrl="~/ClientScript/NeatHtml.js">
<%# Eval("Post").ToString()%>
</NeatHtml:UntrustedContent>

Note that we filter content on the way out not on the way in, we assume that users can find ways of putting in whatever they want, we don't get protection from the wysiwyg editor, anyone can disable javascript and get a plain text area and enter whatever they want. We filter it before rendering.

Best,

Joe

You must sign in to post in the forums. This thread is closed to new posts.