Support ⇒ Explain Please :: Archives ⇒ How to integrate wysiwyg in your module :: Archived ⇒ Community Forums ⇒ CPG Dragonfly™ CMS
Forum IndexExplain Please

Archived ⇒ How to integrate wysiwyg in your module


We've noticed a lot of people don't know how to integrate wysiwyg into their modules.
One of the reasons we don't provide much detail is that it could harm your website more then actualy make it cooler.

WARNING: The wysiwyg editors DON'T check the input (posted data) on any malicious code so it would be easy to generate a XSS exploit.

However if you still want to use it here's an example module index.php
<?php /** * CPG Dragonfly CMS * Copyright (c) 2004-2005 by CPG-Nuke Dev Team, www.dragonflycms.com * Released under the GNU GPL version 2 or any later version * $Id: index.php,v 1.2 2005/02/13 23:53:06 trevor Exp $ */ # protect against direct access if (!defined('CPG_NUKE')) { exit; } # load the wysiwyg system require(CORE_PATH.'wysiwyg/wysiwyg.inc'); # initiate an wysiwyg instance for a <textarea> $wysiwyg = new Wysiwyg('form_name', 'area1', '100%', '400px', '<h1>Area 1</h1>'); # initiate another wysiwyg instance for a <textarea> $wysiwyg2 = new Wysiwyg('form_name', 'area2', '100%', '400px', 'some text in <b>area 2</b>'); # set the wysiwyg headers that are needed for header.php # You only have to call it once, so no need for $wysiwyg2 $wysiwyg->setHeader(); # initiate the page title $pagetitle .= 'WYSIWYG Example'; # Now you include the header to start the page require_once('header.php'); # start a new table in which we will show some text OpenTable(); # Open a <form> echo open_form(getlink(), 'form_name', 'The Wysiwyg Example'); # Output the Wysiwyg selector echo $wysiwyg->getSelect().'<br /><br />'; # Output the Wysiwyg <textarea> echo $wysiwyg->getHTML().'<br /><br />'; # Output the other Wysiwyg <textarea> echo $wysiwyg2->getHTML().'<br /><br />'; # close the form echo '<input type="submit" name="preview" value="Preview">'.close_form(); # close the table that we have created CloseTable();

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


You need to get one or more wysiwyg editors first
dragonflycms.org/cvs/wysiwyg/

And upload the folder to /includes/wysiwyg/

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


The wysiwyg Class has changed (includes/wysiwyg/wysiwyg.inc). Once upon a time you would pass the name of the editor you wished to use to the Class constructor, now the user's preferred choice is stored in the session variable and the constructor no longer accepts the editor name.

This has broken WYSIWYG functionality in my mKnow module.

I need to know at which version of DragonFly it changed so I can allow for it in my code.

edit: I've answered my own question, it was 9.0.4.0, damned annoying though as it means a fair bit of re-coding required now. I'll have to update the session variable because I can't use the new method of adding a selector to the input form (changing editor means submitting the form)

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


thankyou DJmaze for this post and the advice. its appreciated.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux (Kernel: 2.4.21-27.0.2.ELsmp)/1.3.33 (Unix)/4.0.24-standard/4.3.11/9.0.5.0


Yes cheers.. I have the functionality built in to my RG_Sports module but it stopped working. On my todo list to fix. This info will make the job a lot easier.

After the data is posted I'm passing it through Fix_Quotes prior to inserting into DB. Would you recommend anything else to protect against vulnerabilities?

My members can post match reports after games are complete and they do this regularly, it adds good content to my site. I MUST give them WYSIWYG as these reports end up as huge lumps of text otherwise.

example: www.scottishwomensfoot...=2820.html

gerry @ redgerry.com
redgerry.com
clacks.co
123v.com
copseygroup.com

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Suse11.4 - LAMP on zypper - ISPConfig 3


Fix_Quotes() will not prevent anyone for using <script> and "on<task>" which are javascript commands.
I'm building such XSS prevention functions to strip all javascript functionality.
I will post my test functions here so you all can try.

NOTE: this code is highly untested so please report issues or extension in here.

function strip_javascript($text, $events=true) { $patterns = array( '/<\s*script[^>]*?>.*?<\/\s*script\s*>/i', '/href\s*=\s*\'\s*javascript.*\'/i', '/href\s*=\s*"\s*javascript.*"/i' ); $replace = array('','',''); if ($events) { $patterns[] = '/(<.*?)on[\w]+\s*=[^<>]*?>/i'; $replace[] = '\\1>'; } return preg_replace($patterns,$replace,$text); } function strip_tags($text, $tables=false, $lists=false, $fonts=false, $phrase=false, $blocks=false, $group=false, $misc=false, $image=false, $media=true, $forms=true) { $allowed_tags = '<a><br><center><hr><p>'; if (!$tables) { $allowed_tags .= '<caption><multicol><table><tbody><col><colgroup><td><tfoot><thead><th><tr>'; } if (!$lists) { $allowed_tags .= '<dl><dt><dd><dir><menu><li><ol><ul>'; } if (!$fonts) { $allowed_tags .= '<font><sub><sup><big><b><i><small><s><strike><tt><u>'; } if (!$phrase) { $allowed_tags .= '<cite><code><dfn><em><kbd><samp><strong><var><abbr><acronym>'; } if (!$blocks) { $allowed_tags .= '<blockquote><h><plaintext><pre>'; } if (!$group) { $allowed_tags .= '<div><span><fieldset><legend>'; } if (!$misc) { $allowed_tags .= '<nobr><spacer><wbr>'; } if (!$image) { $allowed_tags .= '<img><map><area>'; } if (!$media) { $allowed_tags .= '<applet><object><param><embed><marquee>'; } if (!$forms) { $allowed_tags .= '<form><input><select><option><optgroup><textarea><button>'; } return strip_tags($text, $allowable_tags); }

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


why dont you all take a look at this: pixel-apes.com/downloa...ripped.zip

which comes from pixel-apes.com/safehtml#h248-2

EDIT: I propose that this be integrated into dragonfly's core. It is very helpful function and doesn't add much to the overall distro size (about 80kb uncompressed in total), and additionally it is released under the BSD license.

Seems like a helpfull little fucntion to have, very good for a cms that's all about security. This way module developer's don't even need to come up with their own parser's whcih could contain fatal flaws etc. Good idea?

the usage example is like so: $parser =& new SafeHTML(); $result = $parser->parse($doc);
pretty simple.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux (Kernel: 2.4.21-27.0.2.ELsmp)/1.3.33 (Unix)/4.0.24-standard/4.3.11/9.0.5.0


Thanks mc__ i will look into that code.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


DJMaze,

Did anything come of this?

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


$wysiwyg->getSelect();
Is there any way to display the wysiwyg editor by default without using this select box?

Kendle wrote
I'll have to update the session variable because I can't use the new method of adding a selector to the input form (changing editor means submitting the form)

Were you able to fix this? I am having the same problem and I will have to rely on the select box if there is no way to default the editor to wysiwyg.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux/1.3.33/4.0.27/4.4.4/9.1.1


If you want to enforce a particular WYSIWYG editor you'll have to manipulate the user's session variable, like so:-

if (CPG_NUKE > '9.0.3.0') { global $CPG_SESS; $CPG_SESS['wysiwyg'] = 'EditorName'; }

Note: the check for version number is because it was at 9.0.3.0 that the WYSIWYG class changed. If that's not relevant to your application then remove it, obviously.

If you are writing something that users of versions prior to 9.0.3.0 might want you'll also need to adjust the call to the WYSIWYG class as the parameters changed:-

<= 9.0.3.0

$wysiwyg = new Wysiwyg('EditorName', 'FieldName', 'width', 'height', $fieldvariable);

> 9.0.3.0

$wysiwyg = new Wysiwyg('FormName', 'FieldName', 'width', 'height', $fieldvariable);

Gaming League / Cup - www.leaguecms.co.uk :: Other DragonFly modules - www.cmsdreams.co.uk

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


Alright cool, thanks Kendle Razz

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux/1.3.33/4.0.27/4.4.4/9.1.1


mc__ wrote
why dont you all take a look at this: pixel-apes.com/downloa...ripped.zip

which comes from pixel-apes.com/safehtml#h248-2

EDIT: I propose that this be integrated into dragonfly's core. It is very helpful function and doesn't add much to the overall distro size (about 80kb uncompressed in total), and additionally it is released under the BSD license.


Not possible, can't mix GPL and BSD in one package.
It works nicely though.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


I cannot browse or download images with a wysisyg browser.
Could it be caused by a .htaccess file?

Wonder is the beginning of all wisdom.
Verwondering is het begin van alle wijsheid.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Windows xp/Apache 2.0/mysql 5.0.51a (client: 5.0.51a) php 5.2.5/ CPGNuke 9.2.1

All times are UTC