QFCKeditor and Swf Files
Hi.
Has anybody been able to use QFCKeditor's "insert a SWF" capability with Qcodo? I get the following:
Cross Scripting Violation -- SCRIPT EMBED OBJECT LINK APPLET STYLE IFRAME BODY and JavaScript not allowed in c10
Exception Type: QCallerException
Source File: /home/adminhcfc/domains/hondurascloudforestcoffee.com/public_html/cms/includes/qcodo/_core/qform/QFormBase.class.php Line: 227
Line 222: // If they were rendered last time and are visible (and if ServerAction, enabled), then Parse its post data
Line 223: if (($objControl->Visible) &&
Line 224: (($objClass->strCallType == QCallType::Ajax) || ($objControl->Enabled)) &&
Line 225: ($objControl->RenderMethod)) {
Line 226: // Call each control's ParsePostData()
Line 227: $objControl->ParsePostData();
Line 228: }
Line 229:
Line 230: // Reset the modified/rendered flags and the validation
Line 231: // in ALL controls
Line 232: $objControl->ResetFlags();
Is it fixable?
David
I haven't used that control, but I do know that by default QCubed will be suspicious of tags such as script, object, and embed, among others. This is a good thing as it prevents malicious injection attacks.
You could turn this functionality off by doing something like this:
$this->txtMyFCKeditor->CrossScripting = QCrossScripting::Allow;However, this could potentially leave you vulnerable to attack, depending upon how you are using this control(i.e. is it being used internally, or is it being used by the general public).
The optimal solution would be to override the ParsePostData() function and code in an exception for the tag you're trying to insert(which is probably the object tag in this case).
CDhamm
The system in question is used internally not public. I'll try the quick fix for now, but I like your exception trapping better so I will work on that when I get a break.
Thanks
My current fix is to simply go into QFCKEditor.php and Set the needed filetypes to True
ie.
switch ($this->strCrossScripting) {
case QCrossScripting::Allow:
// Do Nothing, allow everything
break;
default:
// Deny the Use of CrossScripts
// Check for cross scripting patterns
// TODO: Change this to RegExp
$strText = strtolower($this->strText);
if ((strpos($strText, '
dclark - your current fix is succeptible to cross-site scripting. There has to be a better way. Consider improving the QCubed function that does cross-site scripting checks to pass in an allowed list of tags (if that's not allowed already). When you're done, please share your code!
Hello everyone,
Does this problem was resolved ?
I have the same probleme.
How should I to solve this problem by RegExp ?
Thankyou
Hi, ourri It is not resolved. You can however go into QFCKEditor.class.php and change (or rem out) the listed cross scripting items individually as needed.
Please be careful because if you allow public access to this, you will eventually have someone mess with it.
I have been meaning to look at this for several years. It just got easier to rem out the items I wanted to allow then protect it with URL controls to prevent hijacking.
It works but it is not foolproof.
I'll see if I can get back at looking at this soon.
Dave