Firefox PHP

Module: HTML in Messages

Posted by Maurice Makaay 
All files from this thread

File Name File Size   Posted by Date  
html-2.0.0.tar.gz 197.6 KB open | download Maurice Makaay 08/17/2009 Read message
html-2.0.0.zip 253.7 KB open | download Maurice Makaay 08/17/2009 Read message
html.proposed.3.0.zip 250.9 KB open | download Phil Connolly 09/10/2010 Read message
Module: HTML in Messages
August 17, 2009 12:14AM
This module allows message authors to use HTML markup code in their messages.

It uses HTML Purifier for filtering the code. The filtering is done for both creating clean HTML output (so invalid HTML code entered by the author won't break your page layout) and protecting against XSS attacks.

This package is a replacement for the HTML module that was shipped with Phorum until version 5.2.12. From 5.2.13 on, the HTML module is no longer part of the core distribution, because the very basic anti-XSS algorithms that it had implemented were not good enough for protecting against every kind of XSS attack out there.

The Phorum developers would like to stress that, even though HTML Purifier does a fantastic job at filtering the HTML code, it is in general a bad idea to allow HTML input by end users on your system. If you are running a Phorum installation for which you already have an HTML module enabled, then you do not really have a choice. However, if you are considering to install this module on a fresh Phorum installation, we ask you to reconsider.

Changelog:
----------

2009-08-16 v2.0.0

   - Implemented HTML Purifier (http://htmlpurifier.org) as the HTML
     filter for the Phorum HTML module.


Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce



Edited 1 time(s). Last edit at 08/17/2009 01:26AM by Maurice Makaay.
Attachments:
open | download - html-2.0.0.tar.gz (197.6 KB)
open | download - html-2.0.0.zip (253.7 KB)
Re: Module: HTML in Messages
August 26, 2009 09:17PM
Ooh, does this mean I get to stop maintaining the other HTML Purifier Phorum module? ;-)

HTML Purifier, standards-compliant HTML filtering
Re: Module: HTML in Messages
August 26, 2009 10:11PM
If you like what this module is doing, then you can stop maintaining that one. There are differences though. This module simply replaced the old HTML mod functionality of allowing user provided HTML code in the message.

This HTML mod does allow the use of BBcode next to HTML. Since it is up front in the formatting chain, this module and BBcode won't bite. BBcode modules can produce any kind of HTML code that they require (including scripting and such).

This module does not do any kind of formatted message caching. The main reason for this, is that there can be differences in how messages should be formatted for different users. When caching, this kind of functionality might break (unless a cache entry is generated per message per user, but that kind of defeats the purpose).

So there are differences. Whether or not to keep updating your HTML Purifier module is totally up to you and how you ant the purifier to be exposed to the Phorum public.


Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce
Re: Module: HTML in Messages
August 26, 2009 10:16PM
Fair enough. I'll probably continue maintaining the HTML Purifier module. Not having caching is going to be slow >.>

HTML Purifier, standards-compliant HTML filtering
Re: Module: HTML in Messages
August 30, 2009 10:56AM
Dear, i try to use this html message modul with html purifer 4.0 .
And it does no work.
I have put the new html messages in mods (deleted old before).
Then go to admin page and click to settings , define html code tpo xktml 1.0 and then on.
When i run the forum nothing appear execpting error :

Parse error: syntax error, unexpected T_STRING, expecting T_OLD_FUNCTION or T_FUNCTION or T_VAR or '}' in /homepages/15/d184730789/htdocs/LOL/forum/mods/html/htmlpurifier-4.0.0-standalone/HTMLPurifier.standalone.php on line 78

Please can you help me to make your module run ????

Thank you in advance !
Re: Module: HTML in Messages
August 30, 2009 11:00AM
Are you running your Phorum under PHP5?
It sounds like you're still on PHP4.


Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce
Re: Module: HTML in Messages
August 31, 2009 09:15AM
Yes you have right !
I have found the problem.
It is a problem with PHP revision.
I have checked my database and it is on mysql PHP 4.0
So i have to ask for an update at my provider !

Thank you for your reply !

I think this message will help someone else !
Bye !
Re: Module: HTML in Messages
August 31, 2009 09:31AM
You are mixing up some things. MySQL and PHP are two separate packages. But both need to be at version 5. For this particual issue, it is PHP that needs an upgrade to version 5.

Good luck!


Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce
Once enabled, does it affect all forums or can you limit it?
September 03, 2009 09:16PM
I am setting up an announcment board, where users don't post and that may be handy BUT I do not want to turn on html for everyone... did that once :)
Re: Once enabled, does it affect all forums or can you limit it?
September 03, 2009 10:00PM
The HTML module currently does not have such option. An extra module that would remove the HTML module from the internal structures, to effectively disable it in the other forums would work. Nothing ready-to-go though.

I think it would be a nice addition for the module management, to be able to configure the forums for which a module must be active (with "all" as the default, so only specific config is needed for overrides). I'll think about that. Not useful for now, I know ;-)


Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce
Sorry, only registered users may post in this forum.

Click here to login