How would i make it so that the settings in this code


$webpage['text'] = stripslashes($row['text']);

//Check text-formatting settings
$settingvbcode = iif($row['vbcodeorhtml'] == 'vbcode' AND $vboptions['webpageallowvbcode'] == '1', '1', '0');
$settinghtml = iif($row['vbcodeorhtml'] == 'html' AND $vboptions['webpageallowhtml'] == '1', '1', '0');
if($settinghtml == 0 AND $settingvbcode == 0) {
$settingvbcode = 1;
}

if($vboptions['webpagesmilies'] == 1 and $row['usesmilies'] == 1) {
$settingsmilies = 1; } else { $settingsmilies = 0; }

if($settingvbcode == 1) {
$webpage['text'] = parse_bbcode2($webpage['text'], $settinghtml, 1, $settingsmilies, $settingvbcode);
}
if($settinghtml == 1) {
//Remove scripts!!!
$webpage['text'] = preg_replace("/(\<script)(.*?)(script>)/si", "", $webpage['text']);
//Don't hide anything!
$webpage['text'] = str_replace("<!--", "&lt;!--", $webpage['text']);
//Allow specified tags (if empty in admin, ALL tags are allowed! SECURITY RISK!)
if($settinghtml == 1 && !empty($vboptions['allowedhtmltags'])) {
$webpage['text'] = strip_tags($webpage['text'], $vboptions['allowedhtmltags']);
}
}

//Javascript will not be allowed
$webpage['text'] = ereg_replace("~<script[^>]*>.+</script[^>]*>~isU", "", $webpage['text']);

$webpage['hits'] = $row['hits'];
$webpage['bgcolor'] = $row['bgcolor'];
$webpage['bordersize'] = $row['bordersize'];
$webpage['bordercolor'] = $row['bordercolor'];
$webpage['fontface'] = $row['fontface'];
$webpage['fontsize'] = $row['fontsize'];
$webpage['fontcolor'] = $row['fontcolor'];

}


work for the text in profile fields?

$webpage['text'] = preg_replace("/(\<script)(.*?)(script>)/si", "", $webpage['text']);
//Don't hide anything!
$webpage['text'] = str_replace("<!--", "&lt;!--", $webpage['text']); i believe that alone filters out malicious codes



this code is the one that does pretty much everythign


//Check text-formatting settings
$settingvbcode = iif($row['vbcodeorhtml'] == 'vbcode' AND $vboptions['webpageallowvbcode'] == '1', '1', '0');
$settinghtml = iif($row['vbcodeorhtml'] == 'html' AND $vboptions['webpageallowhtml'] == '1', '1', '0');
if($settinghtml == 0 AND $settingvbcode == 0) {
$settingvbcode = 1;
}

if($vboptions['webpagesmilies'] == 1 and $row['usesmilies'] == 1) {
$settingsmilies = 1; } else { $settingsmilies = 0; }

if($settingvbcode == 1) {
$webpage['text'] = parse_bbcode2($webpage['text'], $settinghtml, 1, $settingsmilies, $settingvbcode);
}
if($settinghtml == 1) {
//Remove scripts!!!
$webpage['text'] = preg_replace("/(\<script)(.*?)(script>)/si", "", $webpage['text']);
//Don't hide anything!
$webpage['text'] = str_replace("<!--", "&lt;!--", $webpage['text']);
//Allow specified tags (if empty in admin, ALL tags are allowed! SECURITY RISK!)
if($settinghtml == 1 && !empty($vboptions['allowedhtmltags'])) {
$webpage['text'] = strip_tags($webpage['text'], $vboptions['allowedhtmltags']);
}
}

Essentially, the following is what is the most secure:

if(!(empty($vboptions['allowedhtmltags']))) {
$webpage['text'] = strip_tags($webpage['text'], $vboptions['allowedhtmltags']);
}
But I do not recommend, under any circumstances, enabling HTML anywhere...

Satan

a code hellsatan has come up with


if(!(empty($vboptions['allowedhtmltags']))) {

$post['fieldx'] = strip_tags($post['fieldx'], $vboptions['allowedhtmltags']);

}


now if only we can find out where $post[fieldx] is parsed

here's some php i found in member.php


// *********************
// CUSTOM PROFILE FIELDS
$profilefields = $DB_site->query("
SELECT profilefieldid, required, title, type, data, def, height
FROM " . TABLE_PREFIX . "profilefield
WHERE form = 0 OR 6 OR 7 OR 8" . iif(!can_moderate(), "
AND hidden = 0") . "
ORDER BY displayorder
");


$search = array(
'#(\r\n|\n|\r)#',
'#(<br />){3,}#', // Replace 3 or more <br /> with two <br />
);
$replace = array(
'<br />',
'<br /><br />',
);

while ($profilefield = $DB_site->fetch_array($profilefields))
{
exec_switch_bg();
$profilefieldname = "field$profilefield[profilefieldid]";
if ($profilefield['type'] == 'checkbox' OR $profilefield['type'] == 'select_multiple')
{
$data = unserialize($profilefield['data']);
foreach ($data AS $key => $val)
{
if ($userinfo["$profilefieldname"] & pow(2, $key))
{
$profilefield['value'] .= iif($profilefield['value'], ', ') . $val;
}
}
}
else if ($profilefield['type'] == 'textarea')
{
$profilefield['value'] = preg_replace($search, $replace, trim($userinfo["$profilefieldname"]));
}
else
{
$profilefield['value'] = $userinfo["$profilefieldname"];
}
if ($profilefield['value'] != '')
{
$show['extrainfo'] = true;
}
eval('$customfields .= "' . fetch_template('memberinfo_customfields') . '";');

}
// END CUSTOM PROFILE FIELDS
// *************************


is this where the $post[fieldx] isparsed?

this $profilefields = $DB_site->query("
SELECT profilefieldid, required, title, type, data, def, height
FROM " . TABLE_PREFIX . "profilefield
WHERE form = 0 OR 6 OR 7 OR 8" . iif(!can_moderate(), "
AND hidden = 0") . "
ORDER BY displayorder
");

should be
$profilefields = $DB_site->query("
SELECT *
FROM " . TABLE_PREFIX . "userfield
");

thank you for your input, however, read the thread.... wer'e trying to use the code we put together and/or limits for html in webpage, to work for $post[fieldx]

now if only we can find out where $post[fieldx] is parsed
what do you mean by 'parsed'? to my knowledge $post fieldx isn't anywhere within your script as you've described?

basically describe what you mean by parsed.

and having read the thread back, what i originally posted more than stands but alas that's just me.

you select the field then you echo it out, it's that simple.

hellsatan told me to put


if(!(empty($vboptions['allowedhtmltags']))) {

$post['fieldx'] = strip_tags($post['fieldx'], $vboptions['allowedhtmltags']);

}


wherever $post[fieldx] is parsed. he himielf said that he doesnt know where its parsed or even if it is.

however, if theres a way that you know of to allow htlm and/or limit html the same way the webpage does, itll be helpful

there are several codes that have been posted that can be used for this

what happened when you input html into the database via the usercp does it appear in the database as you submitted it via your usercp?

<b> will appear as <b> and every code will jsut appear as is but it wont work

<b> will appear as <b> and every code will jsut appear as is but it wont work

ok so that being the case, we're seeing that the problem is down to the method you're using to echo out the data, if <b> is still <b> in the database then when it gets to your script should you be selecting it yourself (as the query i swapped for you earlier provided) it will still be <b> at which point your duty is to echo it out via whatever method you feel fit should it be to eval(); it, print(); it or echo();

and where would i do this? what edit would i have to make?

without knowing how you plan to implement this i wouldn't be able to tell you?

i want it to be implemented the same way $webpage[text] is implemented on this post https://vborg.vbsupport.ru/showpost.php?p=741768&postcount=2 (the second code)

you're not getting me, i mean is this going on it's own page or member.php? why does it need to be with the additional fields on member.php if it's there etc.

i want it on member.php i want it to wor for the fields in member.php, for the $post[fieldx] 's that appear in member.php

i say add the extra query and go from there.

this is what i dont know how to do?

if you were to tell me what code to add or edit i would have no problems doin this... however, i myself cannot come up with a code...

insert the query i gave you as profilefields2 and your code above eval('$customfields .= "' . fetch_template('memberinfo_customfields') . '";'); and then call it in your template as $profilefields2[fieldx] in your template :)

i think i kind of get what your saying but all together... the code i should add above that would look like WHAT?

$webpage = $DB_site->query("
SELECT *
FROM " . TABLE_PREFIX . "userfield
");

$webpage['text'] = stripslashes($row['text']);

//Check text-formatting settings
$settingvbcode = iif($row['vbcodeorhtml'] == 'vbcode' AND $vboptions['webpageallowvbcode'] == '1', '1', '0');
$settinghtml = iif($row['vbcodeorhtml'] == 'html' AND $vboptions['webpageallowhtml'] == '1', '1', '0');
if($settinghtml == 0 AND $settingvbcode == 0) {
$settingvbcode = 1;
}

if($vboptions['webpagesmilies'] == 1 and $row['usesmilies'] == 1) {
$settingsmilies = 1; } else { $settingsmilies = 0; }

if($settingvbcode == 1) {
$webpage['text'] = parse_bbcode2($webpage['text'], $settinghtml, 1, $settingsmilies, $settingvbcode);
}
if($settinghtml == 1) {
//Remove scripts!!!
$webpage['text'] = preg_replace("/(\<script)(.*?)(script>)/si", "", $webpage['text']);
//Don't hide anything!
$webpage['text'] = str_replace("<!--", "&lt;!--", $webpage['text']);
//Allow specified tags (if empty in admin, ALL tags are allowed! SECURITY RISK!)
if($settinghtml == 1 && !empty($vboptions['allowedhtmltags'])) {
$webpage['text'] = strip_tags($webpage['text'], $vboptions['allowedhtmltags']);
}
}

//Javascript will not be allowed
$webpage['text'] = ereg_replace("~<script[^>]*>.+</script[^>]*>~isU", "", $webpage['text']);

$webpage['hits'] = $row['hits'];
$webpage['bgcolor'] = $row['bgcolor'];
$webpage['bordersize'] = $row['bordersize'];
$webpage['bordercolor'] = $row['bordercolor'];
$webpage['fontface'] = $row['fontface'];
$webpage['fontsize'] = $row['fontsize'];
$webpage['fontcolor'] = $row['fontcolor'];

i dont see $profilefields2[fieldx] in that code

I think the code would be something like this:


$profilefields2 = $DB_site->query("
SELECT profilefieldid, required, title, type, data, def, height
FROM " . TABLE_PREFIX . "profilefield
WHERE form = 0 OR 6 OR 7 OR 8" . iif(!can_moderate(), "
AND hidden = 0") . "
ORDER BY displayorder
");

$webpage['text'] = stripslashes($row['text']);

//Check text-formatting settings
$settingvbcode = iif($row['vbcodeorhtml'] == 'vbcode' AND $vboptions['webpageallowvbcode'] == '1', '1', '0');
$settinghtml = iif($row['vbcodeorhtml'] == 'html' AND $vboptions['webpageallowhtml'] == '1', '1', '0');
if($settinghtml == 0 AND $settingvbcode == 0) {
$settingvbcode = 1;
}

if($vboptions['webpagesmilies'] == 1 and $row['usesmilies'] == 1) {
$settingsmilies = 1; } else { $settingsmilies = 0; }

if($settingvbcode == 1) {
$webpage['text'] = parse_bbcode2($webpage['text'], $settinghtml, 1, $settingsmilies, $settingvbcode);
}
if($settinghtml == 1) {
//Remove scripts!!!
$webpage['text'] = preg_replace("/(\<script)(.*?)(script>)/si", "", $webpage['text']);
//Don't hide anything!
$webpage['text'] = str_replace("<!--", "&lt;!--", $webpage['text']);
//Allow specified tags (if empty in admin, ALL tags are allowed! SECURITY RISK!)
if($settinghtml == 1 && !empty($vboptions['allowedhtmltags'])) {
$webpage['text'] = strip_tags($webpage['text'], $vboptions['allowedhtmltags']);
}
}

//Javascript will not be allowed
$webpage['text'] = ereg_replace("~<script[^>]*>.+</script[^>]*>~isU", "", $webpage['text']);



However.... i know i have to edit alot where it sais $webpage['text'] but how would i edit it so that it works as $profilefields2['fieldx'] where x is the profilefieldid

i'm assuming webpage[text] is the field you're reffering to from the useroptions right?

then that being the case you could just select that field with a query assign it to webpage text and voila you have what you need.

but in these peoblems it's hard to help as it's less about pointing out the error in the code, it's more about building the code and with limted info that's very hard

ps replace you're iff's with trinary operators and also you'll find data from the DB selects alot faster when columns are specified as opposed to wild cards.

I'm sorry but i am not a php coder, i am still in the learning process when it comes to php. If i have not been sepcific as to what it is i want to do let me say it once more :):

The $webpage[text] has limits as to what html is allowed.... i would like the same for $post[fieldx] (where x is the ID of the profile field). I would just like for $post[fieldx] to follow the same html rules as $webpage[text]


Thanks once again,
Gio

what is the query $webpage?

*gio~logist takes a ballpark*


if($settingvbcode == 1) {
$webpage['text'] = parse_bbcode2($webpage['text'], $settinghtml, 1, $settingsmilies, $settingvbcode);
}
if($settinghtml == 1) {
//Remove scripts!!!
$webpage['text'] = preg_replace("/(\<script)(.*?)(script>)/si", "", $webpage['text']);
//Don't hide anything!
$webpage['text'] = str_replace("<!--", "&lt;!--", $webpage['text']);
//Allow specified tags (if empty in admin, ALL tags are allowed! SECURITY RISK!)
if($settinghtml == 1 && !empty($vboptions['allowedhtmltags'])) {
$webpage['text'] = strip_tags($webpage['text'], $vboptions['allowedhtmltags']);
}
}

//Javascript will not be allowed
$webpage['text'] = ereg_replace("~<script[^>]*>.+</script[^>]*>~isU", "", $webpage['text']);

$webpage['hits'] = $row['hits'];
$webpage['bgcolor'] = $row['bgcolor'];
$webpage['bordersize'] = $row['bordersize'];
$webpage['bordercolor'] = $row['bordercolor'];
$webpage['fontface'] = $row['fontface'];
$webpage['fontsize'] = $row['fontsize'];
$webpage['fontcolor'] = $row['fontcolor'];


This?

nope, it will be above that and it should say something like $webtext = $DB_site->query("

etc

this is what i've seen so far that looks anything like what you posted


$sql = mysql_query("SELECT * FROM user_webpage WHERE userid = ".GBUSERID."");

if(mysql_num_rows($sql) == 0) {

//Create ext. profile
$createsql = mysql_query("INSERT INTO user_webpage (userid,hits,vbcodeorhtml) VALUES (".GBUSERID.",'1','".$vboptions['webpagevbcodeorhtml']."')");
//ladda om $sql v?rde
$sql = mysql_query("SELECT * FROM user_webpage WHERE userid = ".GBUSERID."");

}

find the $row variable's creation.

THIS?


$webpage['text'] = stripslashes($row['text']);

nope

//Display edit
$sql = mysql_query("SELECT * FROM user_webpage WHERE userid = ".GBUSERID."");
while($row = mysql_fetch_assoc($sql)) {


or


//Continue displaying what was found
while($row = mysql_fetch_assoc($sql)) {


or


$webpage['name'] = stripslashes($row['name']);
if($row['lastupdate'] =="") {
$webpage['lastupdate'] = $vbphrase['wg_never'];
} else {
$webpage['lastupdate'] = date("".$vboptions['dateformat']." ".$vboptions['timeformat']."", $row['lastupdate']);
}
$webpage['description'] = stripslashes($row['description']);

$webpage['text'] = stripslashes($row['text']);


or



//Check text-formatting settings
$settingvbcode = iif($row['vbcodeorhtml'] == 'vbcode' AND $vboptions['webpageallowvbcode'] == '1', '1', '0');
$settinghtml = iif($row['vbcodeorhtml'] == 'html' AND $vboptions['webpageallowhtml'] == '1', '1', '0');
if($settinghtml == 0 AND $settingvbcode == 0) {
$settingvbcode = 1;
}

if($vboptions['webpagesmilies'] == 1 and $row['usesmilies'] == 1) {
$settingsmilies = 1; } else { $settingsmilies = 0; }

if($settingvbcode == 1) {
$webpage['text'] = parse_bbcode2($webpage['text'], $settinghtml, 1, $settingsmilies, $settingvbcode);
}
if($settinghtml == 1) {
//Remove scripts!!!
$webpage['text'] = preg_replace("/(\<script)(.*?)(script>)/si", "", $webpage['text']);
//Don't hide anything!
$webpage['text'] = str_replace("<!--", "&lt;!--", $webpage['text']);
//Allow specified tags (if empty in admin, ALL tags are allowed! SECURITY RISK!)
if($settinghtml == 1 && !empty($vboptions['allowedhtmltags'])) {
$webpage['text'] = strip_tags($webpage['text'], $vboptions['allowedhtmltags']);
}
}

//Javascript will not be allowed
$webpage['text'] = ereg_replace("~<script[^>]*>.+</script[^>]*>~isU", "", $webpage['text']);

$webpage['hits'] = $row['hits'];
$webpage['bgcolor'] = $row['bgcolor'];
$webpage['bordersize'] = $row['bordersize'];
$webpage['bordercolor'] = $row['bordercolor'];
$webpage['fontface'] = $row['fontface'];
$webpage['fontsize'] = $row['fontsize'];
$webpage['fontcolor'] = $row['fontcolor'];

it's the top one, am i to assume you're not using vB?

actually i am, that was in member.php...... im not sure if the code needs to be changed here or in profile.php (perhaps profile fields are filtered while they are submitted), but thats where u come in i guess...

i have no idea what a profile field has to do with any of the $webpage/$row query?

regarding that stuff, that's in no member.php i've ever seen i suggest you vBulletinize it.

regarding the profile fields if you add the query to the page then whatever sanitizing is happening is evaded.

$webpage/$row query has nothign to do with profile fields

$webpage/$row query = a hack that i have installed (webpage and guestbook)

the webpage and guestbook hack follows its own html rules in which you can edit via admincp

i am trying to make it so that THE PROFILE FIELDS FOLLOW THE SAME RULES

or so that PROFILE FIELDS ARE ALLOWED TO USE HTML ACCEPT FOR MALICIOUS CODES SUCH AS <SCRIPT>

then why not just due the $webpage[text] rows and replace $webpage[text] with $whatever[fieldx]?

$whatever[fieldx] that means id have to do this code in member.php for as many fields as i want to allow html for or will [fieldx] be abole to be used for any field?

AND HOW WOULD I DO THIS?


TRIED SOMETHING DIFF

Ok so far i have tried the following in order to allow and limit html

I have tried editing functions_user.php and doing the following edit


In ./functions_user.php

FIND

$userfields .= ", $varname = '" . addslashes(htmlspecialchars_uni($$varname)) . "'";

REPLACE WITH

// MOD :: ALLOW HTML IN PROFILEFIELDS
// OLD CODE
// $userfields .= ", $varname = '" . addslashes(htmlspecialchars_uni($$varname)) . "'";
// NEW CODE
$userfields .= ", $varname = '" . addslashes($$varname) . "'";
// END OF MOD

And then after that.... before this code in member.php

eval('$customfields .= "' . fetch_template('memberinfo_customfields') . '";');

I tried adding this:


$userinfo['$profilefieldname'] = strip_tags($userinfo['$profilefieldname'], "<b><i><u>");

$profilefieldname = strip_tags($profilefieldname, "<b><i><u>");

$userinfo['value'] = strip_tags($userinfo['value'], "<b><i><u>");

$post['$profilefieldname'] = strip_tags($post['$profilefieldname'], "<b><i><u>");

$profilefield['value'] = strip_tags($profilefield['value'], "<b><i><u>");