Group Admins

  • Profile picture of andrea

general

Public Group active 15 hours, 13 minutes ago

support area for everyone including pre-sale

Multisite Security When Enabling HTML and Related Tags … (5 posts)

  • Profile picture of Trace Richardson Trace Richardson said 2 years, 7 months ago:

    Hiya,

    We run a commercial multisite install and have been using the deprecated Additional Tags plugin to enable users to have more control over their tags / content. This brings up some questions about security …. anyone have any feedback on allowing the following? The FORM and INPUT sections are not live, they’re the ones that I’m most concerned about … In a perfect world we would like users to be able to embed a registration form from a 3rd party provider newsletter list or similar ….Any feedback on security issues enabling these tags for users might present is greatly appreciated!

    update: sorry, tried to add backticks to embed as code but not working …. formatting left aligning when posting, making it a bear to read ….

    `$add_tags = array(
    ‘iframe’ => array(
    ‘width’ => array(),
    ‘height’ => array(),
    ‘frameborder’ => array(),
    ‘src’ => array(),
    ‘scrolling’ => array(),
    ‘style’ => array(),
    ‘align’ => array(),
    ‘name’ => array(),
    ‘class’ => array(),
    ‘id’ => array(),
    ‘style’ => array()
    ),
    ‘object’ => array(
    ‘width’ => array(),
    ‘height’ => array()
    ),
    ‘param’ => array(
    ‘name’ => array(),
    ‘value’ => array()
    ),
    ‘embed’ => array(
    ‘src’ => array(),
    ‘type’ => array(),
    ‘wmode’ => array(),
    ‘width’ => array(),
    ‘height’ => array(),
    ‘name’ => array(),
    ‘bgcolor’ => array(),
    ‘flashVars’ => array(),
    ‘allowFullScreen’ => array(),
    ‘allowScriptAccess’ => array(),
    ‘seamlesstabbing’ => array(),
    ‘swLiveConnect’ => array(),
    ‘pluginspage’ => array()
    ),
    ‘script’ => array(
    ‘type’ => array(),
    ‘src’ => array(),
    ‘charset’ => array()
    ),
    ‘div’ => array(
    ‘class’ => array(),
    ‘id’ => array(),
    ‘style’ => array()
    ),
    ‘style’ => array(
    ‘type’ => array()
    ),
    ‘ul’ => array(
    ‘class’ => array(),
    ‘id’ => array(),
    ‘style’ => array()
    ),
    ‘li’ => array(
    ‘class’ => array(),
    ‘id’ => array(),
    ‘style’ => array()
    ),
    ‘ol’ => array(
    ‘class’ => array(),
    ‘id’ => array(),
    ‘style’ => array()
    ),
    ‘form’ => array(
    ‘class’ => array(),
    ‘id’ => array(),
    ‘style’ => array(),
    ‘value’ => array(),
    ‘size’ => array(),
    ‘action’ => array(),
    ‘input’ => array(),
    ‘method’ => array(),
    ‘type’ => array(),
    ‘name’ => array()
    ),
    ‘font’ => array(
    ‘color’ => array(),
    ‘size’ => array(),
    ‘weight’ => array()
    ),
    ‘input’ => array(
    ‘class’ => array(),
    ‘id’ => array(),
    ‘style’ => array(),
    ‘type’ => array(),
    ‘size’ => array(),
    ‘value’ => array(),
    ‘input’ => array(),
    ‘type’ => array(),
    ‘name’ => array()
    ),
    ‘p’ => array(
    ‘class’ => array(),
    ‘id’ => array(),
    ‘style’ => array()
    )
    );`

  • Profile picture of andrea andrea said 2 years, 7 months ago:

    I;d be more concerned about the iframe and script tags myself. :-/ They can do a load of damage.

    I would pick the common forms used and build users a shortcode for their use.

  • Profile picture of Trace Richardson Trace Richardson said 2 years, 7 months ago:

    Gotcha. Know anyone we can hire to consult regarding implementing tags in a secure way so that we enable these in a safe manner?

  • Profile picture of andrea andrea said 2 years, 7 months ago:

    (argh – slow broswer)

    It’s not a question of enabling these html tags within posts. There’s no way to do it “sagely”. If you enable the script tag for your users, it is *unsafe by nature*.

    Creating a plugin that has a shortcode is the safe way to let them embed things. They will not use the providers embed code. They would use the shortcode you make for them.

    For example, if it were aweber, youd have them do something like [aweber member=3918649817264] where the number is their aweber id. This particular functionality may also exist in the form of a plugin.

  • Profile picture of Trace Richardson Trace Richardson said 2 years, 7 months ago:

    Gotcha, so unsafe = iframes, object, param, input, form, script and embed tags? Are any of those ok, or should we avoid all? Our goal is to enable anything that is innocuous, but disable anything that is not 100% safe … I hear you on the short code, we will have to go that route or I can embed as super admin if necessary …. the obvious issue is that that embed will be cleaned if the user updates the page… which is ok. It looks like we will likely end up nixing this plugin altogether … thanks again!