[DJ Maze]

We've noticed a lot of people don't know how to integrate wysiwyg into their modules.
One of the reasons we don't provide much detail is that it could harm your website more then actualy make it cooler.

WARNING: The wysiwyg editors DON'T check the input (posted data) on any malicious code so it would be easy to generate a XSS exploit.

However if you still want to use it here's an example module index.php

PHP:

<?php
/**
* CPG Dragonfly CMS
* Copyright (c) 2004-2005 by CPG-Nuke Dev Team, www.dragonflycms.com
* Released under the GNU GPL version 2 or any later version
* $Id: index.php,v 1.2 2005/02/13 23:53:06 trevor Exp $
*/

# protect against direct access
if (!defined('CPG_NUKE')) { exit; }

# load the wysiwyg system
require(CORE_PATH.'wysiwyg/wysiwyg.inc');

# initiate an wysiwyg instance for a <textarea>
$wysiwyg = new Wysiwyg('form_name', 'area1', '100%', '400px', '<h1>Area 1</h1>');

# initiate another wysiwyg instance for a <textarea>
$wysiwyg2 = new Wysiwyg('form_name', 'area2', '100%', '400px', 'some text in <b>area 2</b>');

# set the wysiwyg headers that are needed for header.php
# You only have to call it once, so no need for $wysiwyg2
$wysiwyg->setHeader();

# initiate the page title
$pagetitle .= 'WYSIWYG Example';

# Now you include the header to start the page
require_once('header.php');

# start a new table in which we will show some text
OpenTable();

# Open a <form>
echo open_form(getlink(), 'form_name', 'The Wysiwyg Example');

# Output the Wysiwyg selector
echo $wysiwyg->getSelect().'<br /><br />';

# Output the Wysiwyg <textarea>
echo $wysiwyg->getHTML().'<br /><br />';

# Output the other Wysiwyg <textarea>
echo $wysiwyg2->getHTML().'<br /><br />';

# close the form
echo '<input type="submit" name="preview" value="Preview">'.close_form();

# close the table that we have created
CloseTable();

[DJ Maze]

You need to get one or more wysiwyg editors first
dragonflycms.org/cvs/wysiwyg/

And upload the folder to /includes/wysiwyg/

[Kendle]

The wysiwyg Class has changed (includes/wysiwyg/wysiwyg.inc). Once upon a time you would pass the name of the editor you wished to use to the Class constructor, now the user's preferred choice is stored in the session variable and the constructor no longer accepts the editor name.

This has broken WYSIWYG functionality in my mKnow module.

I need to know at which version of DragonFly it changed so I can allow for it in my code.

edit: I've answered my own question, it was 9.0.4.0, damned annoying though as it means a fair bit of re-coding required now. I'll have to update the session variable because I can't use the new method of adding a selector to the input form (changing editor means submitting the form)

[mc__]

thankyou DJmaze for this post and the advice. its appreciated.

[RedGerry]

Yes cheers.. I have the functionality built in to my RG_Sports module but it stopped working. On my todo list to fix. This info will make the job a lot easier.

After the data is posted I'm passing it through Fix_Quotes prior to inserting into DB. Would you recommend anything else to protect against vulnerabilities?

My members can post match reports after games are complete and they do this regularly, it adds good content to my site. I MUST give them WYSIWYG as these reports end up as huge lumps of text otherwise.

example: www.scottishwomensfoot...=2820.html

[DJ Maze]

Fix_Quotes() will not prevent anyone for using <script> and "on<task>" which are javascript commands.
I'm building such XSS prevention functions to strip all javascript functionality.
I will post my test functions here so you all can try.

NOTE: this code is highly untested so please report issues or extension in here.

Code:

function strip_javascript($text, $events=true)
{
	$patterns = array(
			'/<\s*script[^>]*?>.*?<\/\s*script\s*>/i',
			'/href\s*=\s*\'\s*javascript.*\'/i',
			'/href\s*=\s*"\s*javascript.*"/i'
	);
	$replace = array('','','');
	if ($events) {
		$patterns[] = '/(<.*?)on[\w]+\s*=[^<>]*?>/i';
		$replace[] = '\\1>';
	}
	return preg_replace($patterns,$replace,$text);
}

function strip_tags($text, $tables=false, $lists=false, $fonts=false,
	$phrase=false, $blocks=false, $group=false, $misc=false,
	$image=false, $media=true, $forms=true)
{
	$allowed_tags = '<a><br><center><hr><p>';
	if (!$tables) { $allowed_tags .= '<caption><multicol><table><tbody><col><colgroup><td><tfoot><thead><th><tr>'; }
	if (!$lists)  { $allowed_tags .= '<dl><dt><dd><dir><menu><li><ol><ul>'; }
	if (!$fonts)  { $allowed_tags .= '<font><sub><sup><big><b><i><small><s><strike><tt><u>'; }
	if (!$phrase) { $allowed_tags .= '<cite><code><dfn><em><kbd><samp><strong><var><abbr><acronym>'; }
	if (!$blocks) { $allowed_tags .= '<blockquote><h><plaintext><pre>'; }
	if (!$group)  { $allowed_tags .= '<div><span><fieldset><legend>'; }
	if (!$misc)   { $allowed_tags .= '<nobr><spacer><wbr>'; }
	if (!$image)  { $allowed_tags .= '<img><map><area>'; }
	if (!$media)  { $allowed_tags .= '<applet><object><param><embed><marquee>'; }
	if (!$forms)  { $allowed_tags .= '<form><input><select><option><optgroup><textarea><button>'; }
	return strip_tags($text, $allowable_tags);
}

[mc__]

why dont you all take a look at this: pixel-apes.com/downloa...ripped.zip

which comes from pixel-apes.com/safehtml#h248-2

EDIT: I propose that this be integrated into dragonfly's core. It is very helpful function and doesn't add much to the overall distro size (about 80kb uncompressed in total), and additionally it is released under the BSD license.

Seems like a helpfull little fucntion to have, very good for a cms that's all about security. This way module developer's don't even need to come up with their own parser's whcih could contain fatal flaws etc. Good idea?

the usage example is like so:

PHP:

$parser =& new SafeHTML();
$result = $parser->parse($doc);

pretty simple.

[DJ Maze]

Thanks mc__ i will look into that code.

[rosbif]

DJMaze,

Did anything come of this?

[HEairsoft]

PHP:

$wysiwyg->getSelect();

Is there any way to display the wysiwyg editor by default without using this select box?

Kendle wrote:

I'll have to update the session variable because I can't use the new method of adding a selector to the input form (changing editor means submitting the form)

Were you able to fix this? I am having the same problem and I will have to rely on the select box if there is no way to default the editor to wysiwyg.

[Kendle]

If you want to enforce a particular WYSIWYG editor you'll have to manipulate the user's session variable, like so:-

PHP:

if (CPG_NUKE > '9.0.3.0') {
  global $CPG_SESS;
  $CPG_SESS['wysiwyg'] = 'EditorName';
}

Note: the check for version number is because it was at 9.0.3.0 that the WYSIWYG class changed. If that's not relevant to your application then remove it, obviously.

If you are writing something that users of versions prior to 9.0.3.0 might want you'll also need to adjust the call to the WYSIWYG class as the parameters changed:-

<= 9.0.3.0

PHP:

$wysiwyg = new Wysiwyg('EditorName', 'FieldName', 'width', 'height', $fieldvariable);

> 9.0.3.0

PHP:

$wysiwyg = new Wysiwyg('FormName', 'FieldName', 'width', 'height', $fieldvariable);

[HEairsoft]

Alright cool, thanks Kendle

[DJ Maze]

mc__ wrote:

why dont you all take a look at this: pixel-apes.com/downloa...ripped.zip

which comes from pixel-apes.com/safehtml#h248-2

EDIT: I propose that this be integrated into dragonfly's core. It is very helpful function and doesn't add much to the overall distro size (about 80kb uncompressed in total), and additionally it is released under the BSD license.

Not possible, can't mix GPL and BSD in one package.
It works nicely though.

[harbrum]

I cannot browse or download images with a wysisyg browser.
Could it be caused by a .htaccess file?