Cyling/Run Route BBCodes

[Arantor]

Does png v gif make a difference, it occured to me afterwards that not everyones smf has png bb icons, or is it smart enough to find them?

It is not smart enough to find them. They have to be gifs unless you've modified the template. And there is a decent chance it won't install to other theme folders even if you tell it to.

so i dont quite get what you mean.

The code in Subs-Editor.php is for the things users click on to be inserted into the post content. Except iframes shouldn't work if you do that (regardless of whether you're in WYSIWYG mode or not), because they should be processed at save time to forcibly break the HTML tags for security reasons.

If regular users can just post iframes that are accepted as-is for posting, there is a truly huge security hole in your site (because it can't be done on regular SMF). Consider someone putting in an iframe to load a cookie stealing script when loaded. That's why iframes shouldn't be accepted normally.

The code in Subs-Editor.php is not supposed to be raw HTML under any circumstances because it shouldn't work. If it does work, there is a security hole and one that *needs* patching.

[dimspace]

now i see what arantor meant.. (well no i dont, i see something different)

im a spanner.. ive got the editor code going in subs.php in error :bangsheadondesk:


But i had totally messed up the edits for subs.editor.. should have been

Code Select Expand

<?xml version="1.0"?>
<!DOCTYPE modification SYSTEM "http://www.simplemachines.org/xml/modification">
<modification xmlns="http://www.simplemachines.org/xml/modification" xmlns:smf="http://www.simplemachines.org/">
<id>nikan:EUCookie</id>
<version>1.0</version>

<file name="$sourcedir/Subs.php">
<operation>
<search position="before"><![CDATA[
array(
'tag' => 'i',
'before' => '<em>',
'after' => '</em>',
),
]]></search>
<add><![CDATA[
array(
'tag' => 'garmin',
'before' => '<iframe width="465" height="548" frameborder="0" src="http://connect.garmin.com:80/activity/embed/',
'after' => '"></iframe>',
),
array(
'tag' => 'mapmyride',
'before' => '<iframe id="mapmyfitness_route" src="http://snippets.mapmycdn.com/routes/view/embedded/',
'after' => '?width=560&height=400&elevation=true&info=true&line_color=E6a67031&rgbhex=3170a6&distance_markers=0&unit_type=imperial&map_mode=TERRAIN&last_updated=2007-09-09T21:27:27+01:00" height="590px" width="100%" frameborder="0"></iframe>',
),
array(
'tag' => 'endomondo',
'before' => '<iframe src=http://www.endomondo.com/embed/workouts?w=',
'after' => '&width=580&height="600" width="580" height="600" frameborder="0" scrolling="no" ></iframe>',
),
array(
'tag' => 'ridewithgps',
'before' => '<iframe src="http://ridewithgps.com/routes/',
'after' => '/embed" height="500px" width="100%" frameborder="0"></iframe>',
),
array(
'tag' => 'tracks4bikers',
'before' => '<iframe width="600" height="740" src="http://tracks4bikers.com/tracks/show_iframe/',
'after' => '"></iframe>',
),
array(
'tag' => 'bikemap',
'before' => '<div style="background-color:#fff;"><iframe src="http://bikemap.net/en/route/',
'after' => '/widget/?width=425&amp;extended=1&amp;height=350&amp;unit=metric" width="425" height="663" border="0" frameborder="0" marginheight="0" marginwidth="0" scrolling="no"> </iframe></div>',
),
]]></add>
</operation>
</file>

<file name="$sourcedir/Subs-Editor.php">
<operation>
<search position="before"><![CDATA[
array(
'image' => 'quote',
'code' => 'quote',
'before' => '[quote]',
'after' => '[/quote]',
'description' => $txt['bbc_quote']
),
]]></search>
<add><![CDATA[
array(
'image' => 'garmin',
'code' => 'garmin',
'before' => '[garmin]',
'after' => '[/garmin]',
'description' => $txt['bbc_garmin']
),
array(
'image' => 'mapmyride',
'code' => 'mapmyride',
'before' => '[mapmyride]',
'after' => '[/mapmyride]',
'description' => $txt['bbc_mapmyride']
),
array(
'image' => 'endomondo',
'code' => 'endomondo',
'before' => '[endomondo]',
'after' => '[/endomondo]',
'description' => $txt['bbc_endomondo']
),
array(
'image' => 'bikemap',
'code' => 'bikemap',
'before' => '[bikemap]',
'after' => '[/bikemap]',
'description' => $txt['bbc_bikemap']
),
array(
'image' => 'ridewithgps',
'code' => 'ridewithgps',
'before' => '[ridewithgps]',
'after' => '[/ridewithgps]',
'description' => $txt['bbc_ridewithgps']
),
array(
'image' => 'tracks4bikers',
'code' => 'tracks4bikers',
'before' => '[tracks4bikers]',
'after' => '[/tracks4bikers]',
'description' => $txt['bbc_tracks4bikers']
),
]]></add>
</operation>
</file>

<file name="$languagedir/Modifications.english.php">
<operation>
<search position="end" />
<add><![CDATA[
$txt['bbc_ridewithgps'] = 'Insert a Ride with GPS route ID';
$txt['bbc_tracks4bikers'] = 'Insert a Tracks 4 Bikers route ID';
$txt['bbc_garmin'] = 'Insert a Garmin activity ID';
$txt['bbc_bikemap'] = 'Insert a Bikemap route in the format 1493880-putevima-cvijeca';
$txt['bbc_mapmyride'] = 'Insert a Map my Ride activity ID';
$txt['bbc_endomondo'] = 'Insert an Endomondo rider and activity id for example 184353320/9925838';
]]></add>
</operation>
</file>

<file name="$languagedir/Modifications.english-utf8.php" error="skip">
<operation>
<search position="end" />
<add><![CDATA[
$txt['bbc_ridewithgps'] = 'Insert a Ride with GPS route ID';
$txt['bbc_tracks4bikers'] = 'Insert a Tracks 4 Bikers route ID';
$txt['bbc_garmin'] = 'Insert a Garmin activity ID';
$txt['bbc_bikemap'] = 'Insert a Bikemap route in the format 1493880-putevima-cvijeca';
$txt['bbc_mapmyride'] = 'Insert a Map my Ride activity ID';
$txt['bbc_endomondo'] = 'Insert an Endomondo rider and activity id for example 184353320/9925838';
]]></add>
</operation>
</file>
<require-dir name="bbc" destination="$sourcedir/images/" />

</modification>

subs defines the iframes, subs editor defines the arrays for the bbc and images *facepalm*

which means http://velorooms.com/files/runridebbc.zip does actually now work..

Basically like a dummy I had put the code that was for subs.php in both subs.php and subs-editor.php

[dimspace]

Does png v gif make a difference, it occured to me afterwards that not everyones smf has png bb icons, or is it smart enough to find them?

It is not smart enough to find them. They have to be gifs unless you've modified the template. And there is a decent chance it won't install to other theme folders even if you tell it to.

so i dont quite get what you mean.

The code in Subs-Editor.php is for the things users click on to be inserted into the post content. Except iframes shouldn't work if you do that (regardless of whether you're in WYSIWYG mode or not), because they should be processed at save time to forcibly break the HTML tags for security reasons.

If regular users can just post iframes that are accepted as-is for posting, there is a truly huge security hole in your site (because it can't be done on regular SMF). Consider someone putting in an iframe to load a cookie stealing script when loaded. That's why iframes shouldn't be accepted normally.

The code in Subs-Editor.php is not supposed to be raw HTML under any circumstances because it shouldn't work. If it does work, there is a security hole and one that *needs* patching.

Yeh, get you now. That was a mess up on my part. Had the subs code in editor in error.. Which is why that didnt work. Told you Im new to this.

On the general security aspect. This is using iframes to display the items, but im assuming because the bulk of the iframe is specified with the user only required to enter a numeric code that the risks are fairly minimal?

thanks for your patience by the way.. purely packaging this as a learning process, as a mod it has fairly limited appeal.

[Arantor]

The risk is about what the user is allowed to enter. If they're not allowed to enter very much and what is allowed to be entered is sanitised, there's no risk.

In your case, that is still a valid risk because there isn't any kind of checking on what is entered, and incidentally the tag doesn't do anything to prevent other tags inside it.

Start with declaring 'type' => 'unparsed_content' for both all the tags. As far as validation goes, I really can't remember exactly how to roll out a validate function in the bbcode (because I changed how I did it in Wedge years ago and the mechanics there are slightly different in consequence)

Might be worth having a look around some of the bbcode mods to see what they do. IIRC using unparsed_content will require a validate function that you can validate its content as safe (like the img tag does)

[dimspace]

cheers. will do..