Link authors to CB Profile - Not working since upgrade

This forum is for general questions about extensions for Joomla! version 1.5.x.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Krycek
Joomla! Apprentice
Joomla! Apprentice
Posts: 35
Joined: Wed Sep 10, 2008 2:43 pm
Location: Ankiniz, France
Contact:

Link authors to CB Profile - Not working since upgrade

Post by Krycek » Fri Aug 07, 2009 9:01 am

Hello,

To avoid anyone telling me that Community Builder questions should be asked on Joomlapolis, my question is more related to J! 1.5.14 than to CB functions.

Current Platform : Joomla! 1.5.14 / CB 1.2.1 and coming up Kunena 1.5.

Aim : Link articles authors to their CB profile pages.

Possible solution : Use Zak Author 2 CB Plugin or CB Authorbot ver. 1.0.2

Problem : Upper mentionned plugins do not work anymore since I upgraded J! from 1.5.9 to 1.5.14. Actually it is known that from 1.5.10 it doesn't work. Symptom ? Instead of displaying a link to the author, the HTML link code is fully displayed and, thus, not effective.
Plugin doesn't work ? Solution should be to contact the author, but he's not responding and no plugin alternative is existing.

Now that I have some knowledge in PHP/xHTML, I'd like to correct this myself but need some help regarding J!. Focusing on Zak's one, for which code is easy.

Why doesn't it work ? It seems that HTML encapsulation used in J! 1.5.14 is thus replacing a simple HTML link by a full-text code.

Finding the bug :
FYI : plugin code and info at the end of this post.

In order to summarize, on line 60 of the code :

Code: Select all

$zak_link_txt ='<a href="index.php?option=com_comprofiler&task=userProfile&user='.$article->created_by.'"><span class="'.$this->_cssclass.'">'.$zak_created_by.'</span></a>';
Gives us in HTML source :

Code: Select all

<span class="small">
Written by <a href="index.php?option=com_comprofiler&task=userProfile&user=70"><span class="small">Monthy3</span></a>
</span>
This is displayed as :

Code: Select all

Written by <a href="index.php?option=com_comprofiler&task=userProfile&user=70"><span class="small">Smith</span></a>    
Instead of :
Written by Smith
(Smith being a clickable link)

As ones can see, PHP created a string with special characters which are translated by J! into generic web code making the link not effective.

Question is rather simple (easy after that long introduction :D ) :
How can I bypass this problem ? How would the plugin's author trick J! to have the link displayed eventually ?
(Being not fan of hardcoding or Core hack solutions...)

I had some ideas like replacing " ' " (apostrophes) by " " " (brackets) in original code, though I'm not sure this would be sufficient.

Every help will be greatly appreciated. If any fix comes up, I'd publish it onto relevant forums in Joomlapolis to help other J! members.
Thanks !


---------

Plugin structure :
  • en-GB.plg_content_zakauthor.ini
  • zakauthor.php
  • zakauthor.xml
Nothing more :)

Here is the plugin code from zakauthor.php :

Code: Select all

<?php
/**
 * @version		$Id: example.php 9764 2007-12-30 07:48:11Z ircmaxell $
 * @package		Joomla
 * @subpackage	Content
 * @copyright	Copyright (C) 2005 - 2008 Open Source Matters. All rights reserved.
 * @license		GNU/GPL, see LICENSE.php
 * Joomla! is free software. This version may have been modified pursuant
 * to the GNU General Public License, and as distributed it includes or
 * is derivative of works licensed under the GNU General Public License or
 * other free or open source software licenses.
 * See COPYRIGHT.php for copyright notices and details.
 */

/**
 * The edit icon for editors and above in
 * components/com_content/helpers/icon.php unneccessarily references
 * $article->created_by_alias in a tooltip, which causes formatting problems.
 * To solve this, comment out line 122 in icon.php which is:
 * 		$overlib .= $author;
 */


// Check to ensure this file is included in Joomla!
defined( '_JEXEC' ) or die();

jimport( 'joomla.plugin.plugin' );

class plgContentzakAuthor extends JPlugin
{
	function plgContentzakAuthor( &$subject, $params )
	{
		parent::__construct( $subject, $params );
		
		$this->_plugin = JPluginHelper::getPlugin( 'content', 'zakauthor' );
		$this->_params = new JParameter( $this->_plugin->params );
		$this->_secid = $this->_params->def( 'secid', 0 );
		$this->_excludecategories = $this->_params->def( 'excludecategories', '' );
		$this->_excludechar = $this->_params->def( 'excludechar', ',' );
		$this->_separatechar = $this->_params->def( 'separatechar', ',' );
		$this->_cssclass = $this->_params->def( 'cssclass', 'small' );
		
	}

	function onPrepareContent( &$article, &$params, $limitstart )
	{
		global $mainframe;
		$zak_link_txt = '';
                
		if (!JPluginHelper::isEnabled('content', 'zakauthor')) { return; }
                
		$db =& JFactory::getDBO();
		if ( $article->created_by_alias == '' ) {
			$db->setQuery("SELECT name FROM #__users WHERE id = " . $article->created_by );
			$zak_created_by = $db->loadResult();
		} else {
			$zak_created_by = $article->created_by_alias;
		}

		$zak_link_txt ='<a href="index.php?option=com_comprofiler&task=userProfile&user='.$article->created_by.'"><span class="'.$this->_cssclass.'">'.$zak_created_by.'</span></a>';

		$article->created_by_alias = $zak_link_txt;
		
		return true;
	}
}
Last edited by Krycek on Wed Aug 12, 2009 7:18 am, edited 1 time in total.
A bullet may have your name on it, but shrapnel is addressed "to whom it may concern".

lemur1
Joomla! Intern
Joomla! Intern
Posts: 55
Joined: Fri May 09, 2008 8:22 pm

Re: Link authors to CB Profile - Not working since upgrade

Post by lemur1 » Mon Aug 10, 2009 12:47 pm

Have you solved the problem?
I'm interesting for it also from 1.5.10.

At Forum of Joomlapolis i have found:
A new method is being rethought. Due to Joomla 1.5.11 security changes adding a link as author name is no longer as easy as previously. Essentially all bots that do this are broken.
Can it help you?
Thanks.

User avatar
yvolk
Joomla! Guru
Joomla! Guru
Posts: 979
Joined: Thu Jun 01, 2006 1:52 pm
Location: Moscow, Russia
Contact:

Re: Link authors to CB Profile - Not working since upgrade

Post by yvolk » Mon Aug 10, 2009 5:42 pm

I've looked into the Joomla! code:
Yes, now Joomla! "escapes" all special characters. See the code from default Joomla! template (file 'components/com_content/views/article/tmpl/default.php')

Code: Select all

<?php JText::printf( 'Written by', ($this->escape($this->article->created_by_alias) ? $this->escape($this->article->created_by_alias) : $this->escape($this->article->author)) ); ?>
To make your plugin(s) work again you need to remove call to the '$this->escape' function:

Code: Select all

<?php JText::printf( 'Written by', ($this->escape($this->article->created_by_alias) ? $this->article->created_by_alias : $this->escape($this->article->author)) ); ?>
lemur1 wrote:Have you solved the problem?
I'm interesting for it also from 1.5.10.

At Forum of Joomlapolis i have found:
A new method is being rethought. Due to Joomla 1.5.11 security changes adding a link as author name is no longer as easy as previously. Essentially all bots that do this are broken.
Can it help you?
Thanks.
Edited: Typo in the code was corrected, thank you.
Last edited by yvolk on Thu Aug 13, 2009 5:20 am, edited 1 time in total.
Text of all my messages is available under the terms of the GNU Free Documentation License: http://www.gnu.org/copyleft/fdl.html

Krycek
Joomla! Apprentice
Joomla! Apprentice
Posts: 35
Joined: Wed Sep 10, 2008 2:43 pm
Location: Ankiniz, France
Contact:

Re: Link authors to CB Profile - Not working since upgrade

Post by Krycek » Wed Aug 12, 2009 7:16 am

Thank you Yvolk.

I guess then that for the moment, no other choice than Core hacking...

Edit : This solution does not work either... for each of the upper mentionned plugins, even with removing all escape functions...

Isn't it any way to modify the plugin, returning right string to the escape function so that link works eventually ?
A bullet may have your name on it, but shrapnel is addressed "to whom it may concern".

User avatar
yvolk
Joomla! Guru
Joomla! Guru
Posts: 979
Joined: Thu Jun 01, 2006 1:52 pm
Location: Moscow, Russia
Contact:

Re: Link authors to CB Profile - Not working since upgrade

Post by yvolk » Wed Aug 12, 2009 10:25 am

Krycek wrote:Thank you Yvolk.

I guess then that for the moment, no other choice than Core hacking...

Edit : This solution does not work either... for each of the upper mentionned plugins, even with removing all escape functions...

Isn't it any way to modify the plugin, returning right string to the escape function so that link works eventually ?
Hi Krycek,
In fact my proposal is NOT "Core hacking", because it suggests changing page TEMPLATE.
Page templates are, by Joomla! design, customizable. So:
1. Instead of changing file from the core you better create custom copy of it and use Joomla!'s "Template override" feature to substitute core template page with yours...
2. In a case you're already using some not default Joomla! template, Joomla! already doesn't use that "components/com_content/views/article/tmpl/default.php" file at all, so you don't see any difference after the proposed "hack" :)
E.g. if you selected "JA_Purity" template, you have to change (custom copy of) the file: "templates/ja_purity/html/com_content/article/default.php".
Text of all my messages is available under the terms of the GNU Free Documentation License: http://www.gnu.org/copyleft/fdl.html

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 840
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: Link authors to CB Profile - Not working since upgrade

Post by Beat » Wed Aug 12, 2009 11:04 am

There is a related discussion with some valid points going on here:

http://www.joomlapolis.com/component/op ... itstart,0/
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

lemur1
Joomla! Intern
Joomla! Intern
Posts: 55
Joined: Fri May 09, 2008 8:22 pm

Re: Link authors to CB Profile - Not working since upgrade

Post by lemur1 » Wed Aug 12, 2009 12:19 pm

yvolk wrote:I've looked into the Joomla! code:
Yes, now Joomla! "escapes" all special characters. See the code from default Joomla! template (file 'components/com_content/views/article/tmpl/default.php')

Code: Select all

<?php JText::printf( 'Written by', ($this->escape($this->article->created_by_alias) ? $this->escape($this->article->created_by_alias) : $this->escape($this->article->author)) ); ?>
To make your plugin(s) work again you need to remove call to the '$this->escape' function:

Code: Select all

<?php JText::printf( 'Written by', ($this->escape($this->article->created_by_alias) ? article->created_by_alias : $this->escape($this->article->author)) ); ?>
Krycek wrote: This solution does not work either...
The code above has a little mistake. It must be, probably:

Code: Select all

<?php JText::printf( 'Written by', ($this->escape($this->article->created_by_alias) ? $this->article->created_by_alias : $this->escape($this->article->author)) ); ?>

This solution works well!

Krycek
Joomla! Apprentice
Joomla! Apprentice
Posts: 35
Joined: Wed Sep 10, 2008 2:43 pm
Location: Ankiniz, France
Contact:

Re: Link authors to CB Profile - Not working since upgrade

Post by Krycek » Wed Aug 12, 2009 12:36 pm

I knew there was a mistake in the code and corrected it. I also knew about template overrides, but mine is custom (I made it from scratch) and am not using any override at all.

Anyhow, I don't understand why the plugin cannot be modified to return appropriate string to the escape function... Template override for that simple feature is quite out of all proportion, innit ?

Edit : Actually, I just found out that it is working for articles but not for home page.
So same trick, override or core hack page in 'components/com_content/views/frontpage/tmpl/default_item.php' with :

Code: Select all

<?php JText::printf( 'Written by', ($this->escape($this->item->created_by_alias) ? $this->item->created_by_alias : $this->escape($this->item->author)) ); ?>
instead of :

Code: Select all

<?php JText::printf( 'Written by', ($this->escape($this->item->created_by_alias) ? $this->escape($this->item->created_by_alias) : $this->escape($this->item->author)) ); ?>
A bullet may have your name on it, but shrapnel is addressed "to whom it may concern".

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 840
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: Link authors to CB Profile - Not working since upgrade

Post by Beat » Wed Aug 12, 2009 4:19 pm

The real issue here is that plugins should have a possibility to change the author text with html without needing to change any core or 3pd joomla template.

That was fine until Joomla 1.5.13, and a security "fix" disabled that possibility.

Question to Joomla dev team:

Would it be possible to do the database-content cleanup BEFORE calling the plugins triggers instead of after calling the plugin triggers, to avoid htmlspecialcharing the html code coming from joomla plugins ?
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

geminorum
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Mon Oct 16, 2006 6:21 pm
Contact:

Re: Link authors to CB Profile - Not working since upgrade

Post by geminorum » Thu Aug 13, 2009 3:55 pm

Beat wrote: Question to Joomla dev team:

Would it be possible to do the database-content cleanup BEFORE calling the plugins triggers instead of after calling the plugin triggers, to avoid htmlspecialcharing the html code coming from joomla plugins ?
Anyone plan to do something about it?
or I just have to kill my plugin gAuthor, that uses the trick!
also CBAuthorBot, BK Author Link and Agora AuthorBot. :pop

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 840
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: Link authors to CB Profile - Not working since upgrade

Post by Beat » Thu Aug 13, 2009 5:06 pm

I made a post to joomla's public devs-list/group here to bring this to their attention:

http://groups.google.com/group/joomla-d ... a?hl=en-GB
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

User avatar
Hazzaa
Joomla! Explorer
Joomla! Explorer
Posts: 342
Joined: Fri Nov 24, 2006 6:13 pm

Re: Link authors to CB Profile - Not working since upgrade

Post by Hazzaa » Thu Aug 13, 2009 6:15 pm

Agora Authorbot seems to be working fin with Joomla 1.5.14. Sorry not sure about the rest

geminorum
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Mon Oct 16, 2006 6:21 pm
Contact:

Re: Link authors to CB Profile - Not working since upgrade

Post by geminorum » Thu Aug 13, 2009 7:05 pm

Hazzaa wrote:Agora Authorbot seems to be working fin with Joomla 1.5.14. Sorry not sure about the rest
Sorry but though the JED page description says: "Now all authors names "Written By: XXXXX" on your site will be linked back to their Agora Profile.", the plugin does something else and add peace of HTML to the top of content text. It seems the new version does not use the trick!

AmyStephen
Joomla! Champion
Joomla! Champion
Posts: 7056
Joined: Wed Nov 22, 2006 3:35 pm
Location: Nebraska
Contact:

Re: Link authors to CB Profile - Not working since upgrade

Post by AmyStephen » Thu Aug 13, 2009 7:28 pm

Hazzaa - thanks for saying that, I've been working with Agora Authorbot and couldn't see any problems. I'll look at another one, now.

AmyStephen
Joomla! Champion
Joomla! Champion
Posts: 7056
Joined: Wed Nov 22, 2006 3:35 pm
Location: Nebraska
Contact:

Re: Link authors to CB Profile - Not working since upgrade

Post by AmyStephen » Thu Aug 13, 2009 7:54 pm

Author Link for Joomla! is changing the array element created_by_alias to contain both the Name and a link. Nothing is escaping the text values in the Plugin.

Here's one example from that plugin:

Code: Select all

				
$link = JRoute::_('index.php?option=com_contact&view=contact&id='. $result->slug .'&catid='.$result->catslug );
$link = '<a href="'.$link.'"><span class="small">'.$created_by.'</span></a>, ';
$row->created_by_alias .= $img_out.$link;
I assume when the core escapes the created by or created by alias field prior to presentation (as should be done), the link is corrupted by the escaping? Is that the issue?

To me, this is a good example of why the core must be the one to escape the output. Shiflett says if PHP devs focus on 2 things: filter input and escape output, the top 5 PHP security problems are gone.

In Joomla!, the core escapes output when that output is presented in the layouts. There's no place safer to do so. One might argue that doing so within the View *after* the Plugins fire to might provide better protection when non-core template overrides are used (if the developer doesn't do their job right), but never before IMO.

Beat - you made the point in the Dev CMS thread that core should escape the output before the Plugins fire to prevent double-escaping. But, that's sort of impossible since we don't know what all the other Plugins might do. It's not a feasible solution, IMO.

My take is that core is doing it right. I might recommend core moving it to inside the view after the Plugins fire. Now, some of our practices as third party developers need to also find best practices. We shouldn't change an array element to include a link in a name field since core will escape that output prior to presentation. Instead, we should insert our modifications to the document by working with the article->text field to append in or replace what is needed.

Just my opinion - good questions.
Amy

geminorum
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Mon Oct 16, 2006 6:21 pm
Contact:

Re: Link authors to CB Profile - Not working since upgrade

Post by geminorum » Thu Aug 13, 2009 10:19 pm

AmyStephen wrote:In Joomla!, the core escapes output when that output is presented in the layouts. There's no place safer to do so. One might argue that doing so within the View *after* the Plugins fire to might provide better protection when non-core template overrides are used (if the developer doesn't do their job right), but never before IMO.

Beat - you made the point in the Dev CMS thread that core should escape the output before the Plugins fire to prevent double-escaping. But, that's sort of impossible since we don't know what all the other Plugins might do. It's not a feasible solution, IMO.

My take is that core is doing it right. I might recommend core moving it to inside the view after the Plugins fire. Now, some of our practices as third party developers need to also find best practices. We shouldn't change an array element to include a link in a name field since core will escape that output prior to presentation. Instead, we should insert our modifications to the document by working with the article->text field to append in or replace what is needed.
The question is, why not core treat $article->created_by_alias like $article->text. this future adds flexibility to Joomla! articles and usually is not just a field for name. I suggest core use some less harsh mechanism on escaping this kind of data.
Nobody have any problem with security and stuff but escaping everything, sometime causes lost of abilities and there is noway around for third party to practice this kind ability!

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 840
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: Link authors to CB Profile - Not working since upgrade

Post by Beat » Thu Aug 13, 2009 10:38 pm

AmyStephen wrote:Author Link for Joomla! is changing the array element created_by_alias to contain both the Name and a link. Nothing is escaping the text values in the Plugin.

Here's one example from that plugin:

Code: Select all

				
$link = JRoute::_('index.php?option=com_contact&view=contact&id='. $result->slug .'&catid='.$result->catslug );
$link = '<a href="'.$link.'"><span class="small">'.$created_by.'</span></a>, ';
$row->created_by_alias .= $img_out.$link;
I assume when the core escapes the created by or created by alias field prior to presentation (as should be done), the link is corrupted by the escaping? Is that the issue?

To me, this is a good example of why the core must be the one to escape the output. Shiflett says if PHP devs focus on 2 things: filter input and escape output, the top 5 PHP security problems are gone.

In Joomla!, the core escapes output when that output is presented in the layouts. There's no place safer to do so. One might argue that doing so within the View *after* the Plugins fire to might provide better protection when non-core template overrides are used (if the developer doesn't do their job right), but never before IMO.

Beat - you made the point in the Dev CMS thread that core should escape the output before the Plugins fire to prevent double-escaping. But, that's sort of impossible since we don't know what all the other Plugins might do. It's not a feasible solution, IMO.

My take is that core is doing it right. I might recommend core moving it to inside the view after the Plugins fire. Now, some of our practices as third party developers need to also find best practices. We shouldn't change an array element to include a link in a name field since core will escape that output prior to presentation. Instead, we should insert our modifications to the document by working with the article->text field to append in or replace what is needed.

Just my opinion - good questions.
Amy
Hi Amy,

Thank you for dropping in with a proposed solution and interesting arguments.

Just to clarify, I don't wish to reinvent the wheel or start any great debate about security in web-applications (and how to avoid all these emergency security-releases), if that would be the case, I would be starting a new topic, and my post would be loooong.

Please accept my comments to yours:

- it's not because a single third-party plugin doesn't do its own security job (escaping) that it's joomla's task (additionally, previously names were already escaped in the database, therefore, the database content was already trusted, so it's even not an error of that plugin !). Following that route, joomla could escape the whole component output to do the job of poor 3p devs ? :eek:

- altering content isn't an option for adding properly a link to the author's name, or to add some fancy markup to allow cool effects. Why ? because you will miss the automatic and very varied format that templates do apply to that output, and not follow the templates best joomla practices.

- you wrote: "you made the point in the Dev CMS thread that core should escape the output before the Plugins fire to prevent double-escaping" : please read my post again, I didn't make that point. Nor did I want to make any "point". I just did a heads-up about a regression in the Joomla API affecting most author information enhancing content plugins.

I agree with you that best place to properly html-sanitize output is ... at output, but taking in account the nature of the information to display:
1) You assuming unclean text, and all previous joomla 1.0.x and 1.5.x releases assumed clean html. Thus it broke backwards-compatibility. It's as simple as that. Ian's suggestion on dev list to assume (instead of the 2 previous unclean text or clean html) unclean html is fine for me too.

2) Plus that joomla-internal "fix" for a poor input escaping of previous releases on name, won't fix any 3pd templates that do override that output based on joomla's previous example. Creating a false feeling of safety. Correct and only safe security fix would be to sanitize the database during the joomla upgrade (I also proposed that).

That's my only message, together with a simple proposal for a solution to fix that. Not a "point", just facts.

I am happy with other solutions allowing as previously to:

a) add a link to author name, and maybe a photo, buttons or any cool enhancements
b) add nice markup, e.g. title information, or photo on hover

exactly there where the name is displayed by standard joomla templates, according to standard parameters of joomla content.

But apart of database sanitization at upgrade, or exceptionally moving a little up the chain the "late" *database input* escaping done at *output* as a bug-fix, I don't see another backwards compatible solution to this. But I'm open to better solution, and will stand corrected if I missed one allowing a) and b) above :)

Ian's proposal on the dev list could work too (without params, just default white/black list).

Just looking for a practical solution to this regression here. Nothing more.
geminorum wrote: The question is, why not core treat $article->created_by_alias like $article->text. this future adds flexibility to Joomla! articles and usually is not just a field for name. I suggest core use some less harsh mechanism on escaping this kind of data.
Nobody have any problem with security and stuff but escaping everything, sometime causes lost of abilities and there is noway around for third party to practice this kind ability!
Indeed, good point. It's really "unclean text" vs "clean or unclean html". Ian's proposal on the devs list (link in my post above) to treat it as "unclean html" goes into that direction too.

Respectfully, Best regards,
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

AmyStephen
Joomla! Champion
Joomla! Champion
Posts: 7056
Joined: Wed Nov 22, 2006 3:35 pm
Location: Nebraska
Contact:

Re: Link authors to CB Profile - Not working since upgrade

Post by AmyStephen » Thu Aug 13, 2009 11:04 pm

geminorum wrote: The question is, why not core treat $article->created_by_alias like $article->text. this future adds flexibility to Joomla! articles and usually is not just a field for name. I suggest core use some less harsh mechanism on escaping this kind of data.
Nobody have any problem with security and stuff but escaping everything, sometime causes lost of abilities and there is noway around for third party to practice this kind ability!
Title and Name fields are not expected to contain HTML. By adding HTML to the Name field, you are wanting Joomla! to now treat it like the article text. Inside of com_content, there is different input filtering based on the data type and configuration option. There needs to be a consistent treatment of these data elements from input to output.

It's not an air tight security measure. You could create a Module to replace the Article Title area and not escape the output. You could create a Template Override for this purpose. (That's probably the better location but I understand it's not a good way to share code with others to use.) You could do a text search on the Article and replace it there. That's probably the best option, right?

But, I have a hard time joining in and saying the core shouldn't escape the output. I think we should follow those industry security practices and figure out how to provide flexibility to developers.

I hear you and I see your point. I just have to think that following Shiflet's advice is important.

I'll think on this a bit, too, and I don't mean to discourage you.

Thanks.
Amy

AmyStephen
Joomla! Champion
Joomla! Champion
Posts: 7056
Joined: Wed Nov 22, 2006 3:35 pm
Location: Nebraska
Contact:

Re: Link authors to CB Profile - Not working since upgrade

Post by AmyStephen » Thu Aug 13, 2009 11:26 pm

Beat wrote:Just to clarify, I don't wish to reinvent the wheel or start any great debate about security in web-applications (and how to avoid all these emergency security-releases), if that would be the case, I would be starting a new topic, and my post would be loooong.
lol! We'd need a beer for that. It's gotten much better, though, since the security burn from a few years ago, hasn't it?
Beat wrote:it's not because a single third-party plugin doesn't do its own security job (escaping) that it's joomla's task (additionally, previously names were already escaped in the database, therefore, the database content was already trusted, so it's even not an error of that plugin !). Following that route, joomla could escape the whole component output to do the job of poor 3p devs ? :eek:
I think a goal might be that Joomla! core continues to improve it's ability to ensure a secure deployment, even in regard to third party extensions as much as possible, without (and this is what I understand your point to be) diminishing what we can do as third party extension developers.
Beat wrote:- altering content isn't an option for adding properly a link to the author's name, or to add some fancy markup to allow cool effects. Why ? because you will miss the automatic and very varied format that templates do apply to that output, and not follow the templates best joomla practices.
I do a lot of this type of work in Template Overrides - or right inside of the Component output now. Things like Gravatars or Post Date Icons. I realize that is difficult though to share as an installable extensions. And, I realize right now, since the escaping is done in the layout, it merely works around core security. I agree with your point about layout overrides and think there is good reason to consider moving the escaping into the View, after the Plugins run.

Why after the plugins and not before? Because that gives the core the best chance to ensure a safe environment. I do not accept that we can't figure out clever ways to get things done, but, yes, we have to be more clever. A cost worthwhile to avoid a security burn like we saw a few years back in my opinion. (Maybe overprotective, yes.)
Beat wrote:- you wrote: "you made the point in the Dev CMS thread that core should escape the output before the Plugins fire to prevent double-escaping" : please read my post again, I didn't make that point. Nor did I want to make any "point". I just did a heads-up about a regression in the Joomla API affecting most author information enhancing content plugins.
I did not mean "point" in a negative way, but rather something worth considering. I apologize if I misunderstood you, though.
Beat wrote: I agree with you that best place to properly html-sanitize output is ... at output, but taking in account the nature of the information to display:
1) You assuming unclean text, and all previous joomla 1.0.x and 1.5.x releases assumed clean html. Thus it broke backwards-compatibility. It's as simple as that. Ian's suggestion on dev list to assume (instead of the 2 previous unclean text or clean html) unclean html is fine for me too.

That would be true *if* we forced people to always use the white list option, or required that they never allow any HTML in their text. The truth is many people do not want input sanitized to that point. So, it is very important to also escape the output. Maybe we should allow people to turn escaping off, just like we allow them to varying the input filtering. I'm in favor of offering people choice and am not a big believer in protecting people from themselves. But, if we don't offer a choice and only do it one way, then it should be the most secure way possible, in my thinking.
Beat wrote: 2) Plus that joomla-internal "fix" for a poor input escaping of previous releases on name, won't fix any 3pd templates that do override that output based on joomla's previous example. Creating a false feeling of safety. Correct and only safe security fix would be to sanitize the database during the joomla upgrade (I also proposed that).
I agree with you on this which is why I think it could make sense in 1.6 to move this inside of the view, after the plugin events fire, and before the layout processes.

Regarding the Upgrade Process, since you've raised that point a few times. I suppose that's a good idea to run data through a filter on upgrade, much like the filtering now available on input. But, the same point holds true, unless we force everyone to use a specific white list or restrict any HTML on input, the possibility of "unclean data" exists in the database, always. That is the basis for Shiflett saying "Filter input. Escape Output." That's the four words he suggests are most important for PHP security. Not just "Filter input."
Beat wrote: That's my only message, together with a simple proposal for a solution to fix that. Not a "point", just facts.
I am happy to read your points and learn from you, always.

Unless there are questions, I've made my points, for what it's worth, I understand the frustration. I would be against restricting choice to only a specified white list, although I think that's the very best default to offer. I would also be against removing escaping of output. I am in favor of clever solutions for us to increase Joomla!'s security and continue to produce cool extensions. I think we always do that, even when it's challenging to figure out how, at first.

With respect.
Amy

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 840
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: Link authors to CB Profile - Not working since upgrade

Post by Beat » Thu Aug 13, 2009 11:37 pm

AmyStephen wrote: Title and Name fields are not expected to contain HTML. By adding HTML to the Name field, you are wanting Joomla! to now treat it like the article text. Inside of com_content, there is different input filtering based on the data type and configuration option. There needs to be a consistent treatment of these data elements from input to output.
...
Amy,

While the database source of title and author isn't expected to be html, the output after events triggering was expected to be html.

That's how it worked in joomla 1.5.12 and all joomla and mambos before.

Changing that output assumption broke cool extensions (not speaking of ours here, others' are cooler than ours)

Fully agreeing to sanitize output, but as html not as text. That's what Ian proposed on the dev list. I'm fine with that.

You can also sanitize the output from database to be clean non-html text too, if you can't trust your database (seems to be the case here). That was one of my 2 proposals (apart of sanitizing the database at upgrade).

OR, alternatively, propose another method for content plugins to output html there where they could in the earlier API. Fine with that too. But putting that structural information into the content isn't a good solution as it bypasses templates and standard joomla settings for authors display.

Respectfully,

EDIT: added relevant quote above to clarify context of my answer, as phpBB didn't catch us posting same time...
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

User avatar
yvolk
Joomla! Guru
Joomla! Guru
Posts: 979
Joined: Thu Jun 01, 2006 1:52 pm
Location: Moscow, Russia
Contact:

Re: Link authors to CB Profile - Not working since upgrade

Post by yvolk » Fri Aug 14, 2009 3:34 am

Just a reminder: There IS a way to live in peace with Joomla! Core and have HTML markup in any place of the page, including parts, where Joomla! never allowed HTML.
The way is using BBCodes instead of HTML markup in the content ;)

Please see the topic about yvBBCode extension.
Text of all my messages is available under the terms of the GNU Free Documentation License: http://www.gnu.org/copyleft/fdl.html

geminorum
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Mon Oct 16, 2006 6:21 pm
Contact:

Re: Link authors to CB Profile - Not working since upgrade

Post by geminorum » Fri Aug 14, 2009 9:35 am

AmyStephen wrote:Title and Name fields are not expected to contain HTML. By adding HTML to the Name field, you are wanting Joomla! to now treat it like the article text. Inside of com_content, there is different input filtering based on the data type and configuration option. There needs to be a consistent treatment of these data elements from input to output.

It's not an air tight security measure. You could create a Module to replace the Article Title area and not escape the output. You could create a Template Override for this purpose. (That's probably the better location but I understand it's not a good way to share code with others to use.) You could do a text search on the Article and replace it there. That's probably the best option, right?

But, I have a hard time joining in and saying the core shouldn't escape the output. I think we should follow those industry security practices and figure out how to provide flexibility to developers.
By "like", didn't mean "exact" and also there is a difference between input and output. I think the misunderstanding is about how these plugin works (well, worked!) the input and processing the output is core job and it have to be clean as much as you want, but when core done with the data and want to pour it to template, the plugin simply convert the name admin to a html clean phrase <a href="link location">Administrator</a> and it doesn't suppose to save on database or coming back to core cycle. Just like templates.

As I see, there is no way to replace this trick. this is not within the content text to simply search and replace it and the template overriding does not have this kind of functionality. Also creating modules doesn't solve the problem. it just another trouble for template adjusting.

And nobody said anything about not escaping the output, but in a proper way to save data.
AmyStephen wrote:I do a lot of this type of work in Template Overrides - or right inside of the Component output now. Things like Gravatars or Post Date Icons. I realize that is difficult though to share as an installable extensions. And, I realize right now, since the escaping is done in the layout, it merely works around core security. I agree with your point about layout overrides and think there is good reason to consider moving the escaping into the View, after the Plugins run.

Why after the plugins and not before? Because that gives the core the best chance to ensure a safe environment. I do not accept that we can't figure out clever ways to get things done, but, yes, we have to be more clever. A cost worthwhile to avoid a security burn like we saw a few years back in my opinion. (Maybe overprotective, yes.)
By cleaver way you mean simply not trust any plugin! so we just shut down and move to templates, because it's to close to core security.
It's not matter of security to just check every data before and after process in a third party code and undone the work, it's being -as you said- overprotective!
We do not talk about a manipulation a copy of Joomla! we talk about supporting the third party to create a public solution for every copy!
yvolk wrote:Just a reminder: There IS a way to live in peace with Joomla! Core and have HTML markup in any place of the page, including parts, where Joomla! never allowed HTML.
The way is using BBCodes instead of HTML markup in the content ;)
It's not "in the content".

AmyStephen
Joomla! Champion
Joomla! Champion
Posts: 7056
Joined: Wed Nov 22, 2006 3:35 pm
Location: Nebraska
Contact:

Re: Link authors to CB Profile - Not working since upgrade

Post by AmyStephen » Fri Aug 14, 2009 12:46 pm

I did some more reading to try to understand why Shiflett says escaping output is a security issue. In his book, he talks about examining echo and print statements and using htmlentities on database output prior to display. On his Web site, he lists two "Fliter Input. Escape Output." as his top two security prevention measures.

When inputted data is used, again, in another query, then escaping that data is a good security precaution against possible SQL injection. This would have been a better link for me to have shared. http://shiflett.org/articles/sql-injection And, that is not the case here. We are not talking about using data for a query - just printing it on the page.

Shiflett also shared a resource from the NYPHP Group. The section that is specific to escaping output starts with the title "Retrieving Data For Display in a Browser." The reason data is escaped when displayed is to handle any special characters in the content that could break the output. For example, "<rant>My rant goes here.</rant>".

Nearly everything in the layouts has been escaped, including the class parameter entered into the Administrator. The author name really shouldn't have any of those characters in it because of the input filtering on title and name fields. But, it's escaped. However, there's no escaping of the text field in the layouts, which is most likely to have that type of content.

So, I'm going to recant my previous statements and say, I am confused and don't know. I don't think this is increasing security from what I can see, so, I was definitely wrong on that.

I'll try to play around with it a bit, too. Thanks.
Amy

AmyStephen
Joomla! Champion
Joomla! Champion
Posts: 7056
Joined: Wed Nov 22, 2006 3:35 pm
Location: Nebraska
Contact:

Re: Link authors to CB Profile - Not working since upgrade

Post by AmyStephen » Fri Aug 14, 2009 11:50 pm

OK - please see this PHP Security Briefing - in particular the section on Cross Site Scripting (39, 40, 41).

The way the output is escaped in the layouts right now is consistent with good security measures. It could be done different ways. In order to make changes, though, someone should audit the individual data elements as those are captured on the frontend, filtered, used in queries, and output to the page, or another delivery method.

The datatype does matter in that one can increase security on those data elements not expected to have HTML. Such is the case with the Author Name or the Author Alias.

I see a good point raised here. Security could be handled in a different way so as to open up the application a bit more for Plugins to use those fields. Whether we like it or not, someone has to do that work and we are 100% volunteer based.

It appears to me that the Joomla! core provides a very secure (admittedly on the side of overly cautious) approach to managing the Author and Author Alias field. Those addition precautions were, indeed, added since 1.5 in an attempt to harden the application. That is good stuff - unless you happened to rely on the area that was hardened.

I'd suggest getting more involved. Either in helping to plan out 1.6's approach to input and output data handling, or in inventorying how it happens now (front to back) and proposing a patch, or getting involved with the Bug Squad - the group who volunteers lots of time to helping improve Joomla! in many ways.

Good points raised here. Thanks - it was educational.
Amy

User avatar
Hazzaa
Joomla! Explorer
Joomla! Explorer
Posts: 342
Joined: Fri Nov 24, 2006 6:13 pm

Re: Link authors to CB Profile - Not working since upgrade

Post by Hazzaa » Tue Aug 18, 2009 1:00 am

yvolk wrote:Just a reminder: There IS a way to live in peace with Joomla! Core and have HTML markup in any place of the page, including parts, where Joomla! never allowed HTML.
The way is using BBCodes instead of HTML markup in the content ;)

Please see the topic about yvBBCode extension.
The BBCode scripts are actually causing issues with Forum parser BBCode scripts. Both yvBBCode and RokCandy totally destroy our component as it forces the BBCode elements to html. Putting HTML editors to forums is opening a security hole in itself.
These two plugins break Agora, Kunena, ccBoard. I am not sure about the others but I think these should be avoided for the time being if at all possible.

User avatar
yvolk
Joomla! Guru
Joomla! Guru
Posts: 979
Joined: Thu Jun 01, 2006 1:52 pm
Location: Moscow, Russia
Contact:

Re: Link authors to CB Profile - Not working since upgrade

Post by yvolk » Tue Aug 18, 2009 3:19 am

Hazzaa wrote:...The BBCode scripts are actually causing issues with Forum parser BBCode scripts. ...I am not sure about the others but I think these should be avoided for the time being if at all possible.
This statement should be more general:
----
Any new extension that you install in Joomla! may cause compatibility issues with extensions that were installed earlier. It is quite a challenge to figure out what is the real cause of the problem: the "new" extension or some "old" ;) .
So stay with what you already have as long as possible. :)
Text of all my messages is available under the terms of the GNU Free Documentation License: http://www.gnu.org/copyleft/fdl.html

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 840
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: Link authors to CB Profile - Not working since upgrade

Post by Beat » Tue Aug 18, 2009 10:54 am

+ most bbcode parsers had or have vulnerabilities in converting maliciously crafted BBcode to HTML. See latest few security releases of Kunena.

Implementing a secure bbcode parser is very far from trivial.

Before applying general all-pages bbcode-to-html conversions, I would do a very serious review of their code.

Specially if those things break your page, there is a serious chance of them being vulnerable.

It is not a clean solution to this trivial Joomla 1.5.14 API bug with a trivial and secure fix as suggested by Ian on the dev list, with which I'm fine.
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

User avatar
yvolk
Joomla! Guru
Joomla! Guru
Posts: 979
Joined: Thu Jun 01, 2006 1:52 pm
Location: Moscow, Russia
Contact:

Re: Link authors to CB Profile - Not working since upgrade

Post by yvolk » Tue Aug 18, 2009 11:49 am

Beat wrote:+ most bbcode parsers had or have vulnerabilities in converting maliciously crafted BBcode to HTML. See latest few security releases of Kunena.
Do you mean Kunena has BBCode parser?
If Yes this is very good...
BTW, as I remember Information about Kunena (and the Kunena code...) is somewhat closed for the public.
Beat wrote: Implementing a secure bbcode parser is very far from trivial.

Before applying general all-pages bbcode-to-html conversions, I would do a very serious review of their code.
Agree, thanks for the tip. I will check for the security holes found by community in HTML_BBCodeParser and for their fixes...
Beat wrote: It is not a clean solution to this trivial Joomla 1.5.14 API bug with a trivial and secure fix as suggested by Ian on the dev list, with which I'm fine.
Of course, BBCodes won't replace "normal" HTML formatting.

BTW, if Joomla! will implement that: "Fully agreeing to sanitize output, but as html not as text"
it may sanitize BBCode output also...

Wow, this is an idea how to "sanitize" BBCode extension in general:
Just "sanitize" its output with built-in Joomla! filter, but as html not as text. 8)
Text of all my messages is available under the terms of the GNU Free Documentation License: http://www.gnu.org/copyleft/fdl.html

geminorum
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Mon Oct 16, 2006 6:21 pm
Contact:

Re: Link authors to CB Profile - Not working since upgrade

Post by geminorum » Tue Aug 18, 2009 9:37 pm

I don't understand why we talk about BB code here! This have nothing to do with user entry. It's just about allowing the plug-ins to convert a simple text to a clean html link and print it on the screen!

User avatar
yvolk
Joomla! Guru
Joomla! Guru
Posts: 979
Joined: Thu Jun 01, 2006 1:52 pm
Location: Moscow, Russia
Contact:

Re: Link authors to CB Profile - Not working since upgrade

Post by yvolk » Wed Aug 19, 2009 5:52 am

geminorum wrote:I don't understand why we talk about BB code here! This have nothing to do with user entry. It's just about allowing the plug-ins to convert a simple text to a clean html link and print it on the screen!
Let me explain to you:
The author of the first message has a problem: "Upper mentionned plugins do not work anymore since I upgraded J! from 1.5.9 to 1.5.14"

As always, there are several solutions to the problem, and I proposed two of them:
1. The fix in the template file (and there is a source code above in the topic for the fix)
2. Using BBCodes (without the example code).
To make it clear how the second proposal may me implemented in THIS case, let me show you the source code for it here, using 'zakauthor.php' plugin, mentioned above, as example.

The solution to the problem is this:
2.1. Change the code of the 'zakauthor.php' file,
Change this line:

Code: Select all

$zak_link_txt ='<a href="index.php?option=com_comprofiler&task=userProfile&user='.$article->created_by.'"><span class="'.$this->_cssclass.'">'.$zak_created_by.'</span></a>'
to look something like this:

Code: Select all

$zak_link_txt ='[a url=' . 
  '"index.php?option=com_comprofiler&task=userProfile&user=' 
  . $article->created_by . '"]' 
  . $zak_created_by . '[/a]';
2.2. Install yvBBCode plugin and enable BBCodes replacement for the whole page. You _will_ have "clean html link" :)
- This is not 100% replacement (no CSS for the <a>, target="_blank"), but it creates a link.

Note: I agree with other folks here that changing template (in Joomla! core, escaping not to the text, but to HTML only...) is better solution.
Text of all my messages is available under the terms of the GNU Free Documentation License: http://www.gnu.org/copyleft/fdl.html


Locked

Return to “Extensions for Joomla! 1.5”