Download Hotaru Cms Core 1.7.3

yes, i dont think iframe is allowed in the html parsing of the text even though it is added as a tag. i will check with @valMETNG as i know he has looked at something like this on his site before.

 

Has the recommended plugin order changed from this? Users used to be #4 (user signin was #2).

 

no , order hasn't changed. i just wanted to get the users plugin as high as possible when troubleshooting since the 2 plugins in play here were users and messaging, I wanted to make sure messaging was below users

 

Nothing in my build was quick or easy

Actually, I use getRaw:

Code:

$content = sanitize($h->cage->post->getRaw('post_content'), 'tags', $allowable_tags);

And then run all editor content through a "cleaner" (which still might have some risks that I haven't solved yet):

Code:

  // removes stuff that messes up ckeditor
   function cleanEditorContent($content)
   {
     if (!$content) { return ''; }

     // Unsolved potential XSS risks:
     // <DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">
     // <IMG SRC=" &#14; javascript:alert('XSS');">

     // decodes numeric HTML entities that can be used to do XSS (e.g., <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>) - from https://gist.github.com/mbijon/1098477
     $content = str_replace(array('&amp;'), array('&amp;amp;'), $content);
     $content = preg_replace('/(&#*\w+)[\x00-\x20]+;/u', '$1;', $content);
     $content = preg_replace('/(&#x*[0-9A-F]+);*/iu', '$1;', $content);

     // convert to proper character set (e.g., ? to &eacute;) - from https://stackoverflow.com/questions/7663738/htmlentities-and-e-e-acute
     $in_iso8859encoded = iconv("UTF-8", "ISO-8859-1//TRANSLIT", $content);
     $out_iso8859= htmlentities($in_iso8859encoded, ENT_COMPAT, "ISO-8859-1");
     $content = iconv("ISO-8859-1", "UTF-8", $out_iso8859);

     $content = html_entity_decode($content, ENT_COMPAT, 'UTF-8');

     // many from https://gist.github.com/mbijon/1098477
     $remove_patterns = array(
       '/<img[^>]*src=[\'\"]?data:image\/[^>]*>/is', // remove base64 images
       '/<iframe[^>]*src=[\'\"]?mhtml/is', // remove mhtml
//       '#(?:on[a-z]+|xmlns|sandbox)\s*=\s*[\'"\x00-\x20]?[^\'>"]*[\'"\x00-\x20]?\s?#iu', // Remove any attribute starting with "on" or xmlns or sandbox (via http://dev.kohanaframework.org/issues/1787 and http://pkgs.fedoraproject.org/repo/pkgs/php-Kohana/kohana-2.4rc2.zip/32e4729c4f2fc12d206c8a8220f9e463/kohana-2.4rc2.zip)
//       '#(?:on[a-z]+|xmlns|sandbox)\s*=\s*[\'"\x00-\x20]?[^\'>"]*[\'"\x00-\x20]?\s?#iu'
       '#(<[^>]+?[\x00-\x20"\'])(?:onclick|ondblclick|onmousedown|onmousemove|onmouseover|onmouseout|onmouseup|onkeydown|onkeypress|onkeyup|onabort|onerror|onload|onresize|onscroll|onunload|onblur|onchange|onfocus|onreset|onselect|onsubmit|xmlns|sandbox)[^>]*+>#iu', // Remove any attribute starting with "on" or xmlns or sandbox
       '#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', // Remove javascript: and vbscript: protocols
       '#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu',
       '#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u',
       '#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i', // Only works in IE: <span style="width: expression(alert('Ping!'));"></span>
       '#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i',
       '#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu',
       '#</*\w+:\w[^>]*+>#i', // Remove namespaced elements (we do not need them)
       '#</*(?:applet|b(?:ase|gsound|link)(?:set)?|i(?:layer)|l(?:ayer|ink)|meta|s(?:cript)|title|xml)[^>]*+>#i', // Remove really unwanted tags
       '!(^(\s*<p>(\s|&nbsp;)*</p>\s*)*|(\s*<p>(\s|&nbsp;)*</p>)*\s*\Z)!em', // from: http://snipplr.com/view/45940/ to trim ending <p></p>
       '#<(\w+)\s[^>]*(class)\s*=\s*[\'"](' . 'loading-bar|activity_items|content' .
  ')[\'"][^>]*>.*</\\1>#isU', // if they paste the scrolling/load more content id list_content, we won't allow that
       '#<(\w+)\s[^>]*(id)\s*=\s*[\'"](' . 'list_content' .
  ')[\'"][^>]*>.*</\\1>#isU', // if they paste the scrolling/load more content id list_content, we won't allow that; from http://www.webdeveloper.com/forum/showthread.php?165278-RESOLVED-PHP-remove-Selected-tags-by-id-or-class
     );

     foreach ($remove_patterns as $pattern)
     { $content = $this->filter_autop($content, $pattern); }

     $content = trim($content);

     $content = str_replace($this->loadCommonVariables('bad_characters'), "", $content);

     // double-escape special characters
     $var = $this->loadCommonVariables('escapers');
     $content = str_replace($var['escapers'], $var['replacements'], $content);

     // something is really screwy with PHP as to why this is necessary, but it is (see: http://us1.php.net/manual/en/function.addslashes.php#87577)
     $this->content = str_replace('\n', "\n", $this->content);

     return $content;
   }


   // after cleanEditorContent cleans everything up, when we present, we need to do a few things
   function presentEditorContent($content = false)
   {
     if (!$content) { return ''; }

     $content = stripcslashes(urldecode($content));

     return $content;
   }


  // Loads common variables used in multiple plugins
   function loadCommonVariables($var)
   {
     $bad_characters = array(chr(13), "<br/>", "<br>", "<p>&nbsp;</p>", "<p><br /></p>", "<p>\t</p>", "<div></div>");
     $escapers =  array("\\",  "/",  "\"",  "\n",  "\r",  "\t", "\x08", "\x0c", "&amp;amp;");
     $replacements = array("\\\\", "\\/", "\\\"", "\\n", "\\r", "\\t",  "\\f",  "\\b", "&amp;");

     switch ($var)
     {
       case 'bad_characters':
         // used for stripping out from ckeditor; may need to add back into bad_characters: chr(10)
         return $bad_characters;
       case 'escapers':
         // double-escape special characters
         // from: https://stackoverflow.com/questions/1048487/phps-json-encode-does-not-escape-all-json-control-characters
         return array('escapers' => $escapers, 'replacements' => $replacements);
       case 'strip_all':
         return array_merge($bad_characters, $replacements, $escapers);
       default:
         return false;
     }
   }

Then, in function saveSubmitData:

Code:

     if (isset($h->vars['submitted_data']['submit_content']))
     { $h->vars['submitted_data']['submit_content'] = $h->cleanEditorContent($h->vars['submitted_data']['submit_content']); }

I also json_encode the submitted data in saveSubmitData.

 

Ooopps. Sorry - you'll need this function too:

Code:

  // ignore content between tag - from https://api.drupal.org/api/drupal/modules!filter!filter.module/function/_filter_autop/5
   public function filter_autop($text, $pattern)
   {
     // Split at <pre>, <script>, <style> and </pre>, </script>, </style> tags.
     // We don't apply any processing to the contents of these tags to avoid messing
     // up code. We look for matched pairs and allow basic nesting. For example:
     // "processed <pre> ignored <script> ignored </script> ignored </pre> processed"
     $chunks = preg_split('@(</?(?:pre)[^>]*>)@i', $text, -1, PREG_SPLIT_DELIM_CAPTURE);
     // Note: PHP ensures the array consists of alternating delimiters and literals
     // and begins and ends with a literal (inserting NULL as required).
     $ignore = FALSE;
     $ignoretag = '';
     $output = '';
     foreach ($chunks as $i => $chunk) {
      if ($i % 2) {
       // Opening or closing tag?
       $open = ($chunk[1] != '/');
       list($tag) = preg_split('/[ >]/', substr($chunk, 2 - $open), 2);
       if (!$ignore) {
        if ($open) {
         $ignore = TRUE;
         $ignoretag = $tag;
        }
       }
       // Only allow a matching tag to close it.
       else if (!$open && $ignoretag == $tag) {
        $ignore = FALSE;
        $ignoretag = '';
       }
      }
      else if (!$ignore) {
       $chunk = preg_replace($pattern, '', $chunk);
      }
      $output .= $chunk;
     }
     return $output;
   }

 

shibuya246 updated Hotaru CMS Core with a new update entry:

v1.7.1

Read the rest of this update entry...

 

sounds like either the db settings are incorrect or there is a problem with your db server?

 

Do you have the mysqli driver on your server?

 

please try this package
if this works then the problem for your system is mysqli v mysql driver for the mysql db

http://stackoverflow.com/questions/...-and-will-be-removed-in-the-future-use-mysqli


also, please check the Help page on install and tell me if you have any red labels on the "Your System" part

 

Can you reply in PM and give me more details of what you saw on help page

Since you could get to step3 I guess it was a driver issue

PM me

 

shibuya246 updated Hotaru CMS Core with a new update entry:

Version 1.7.2

Read the rest of this update entry...