vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin 3.8 Add-ons (https://vborg.vbsupport.ru/forumdisplay.php?f=235)
-   -   BB Code Enhancements - Custom User Pages - Users make pages using html/bbcode on any template safely (https://vborg.vbsupport.ru/showthread.php?t=210482)

carcomp 04-05-2009 10:00 PM
Custom User Pages - Users make pages using html/bbcode on any template safely
 
1 Attachment(s)
Ok this is just something i've been slapping together the past few days, using code from here, google, and whatnot. I didn't write 99% of it, but I thought up the idea!

Ok heres the deal. You want your users to be able to customize a page such as MEMBERINFO. Problem is, really customizations all look EXACTLY the same. So I thought, why not let the users just program their own html css stuff like on myspace, as well as allow bbcode. If it messes up their memberinfo page, so what. Its their own fault and they should fix it. (My members are really a close knit family of computer / car people so I think they can handle this). I trust most of them, but since this mod only allows what you specify, you can't add things like <SCRIPT> tags or php code etc.

The following code works in conjunction with a custom template and an eval'd variable.

To get this to work, you first have to create a new custom profile field. I don't know what the number of this field will be, so you'll have to figure that one out yourself. You should probably specify a multi line field with a lot of space. Once you create the profile field, enter the number in the code below.

Next, you need to create a new template. Call it user_custompage. In this template, put one line...

$mypage


Then, create a plugin and link it to global_start

in the plugin, put the following code...

Code:
function SafeHTML($str, $allow_font = true, $allow_img = true, $allow_lists = true)
{
        $approvedtags = array(
                'p' => 2,                  // 2 means accept all qualifiers: <foo bar>
                'b' => 1,                  // 1 means accept the tag only: <foo>
                'i' => 1,
                'u' => 1,
                's' => 1,
                'a' => 2,
                'em' => 1,
                'br' => 1,
                'strong' => 1,
                'strike' => 1,
                'blockquote' => 1,
                'tt' => 1,
                'hr' => 1,
                'table' => 2,
                'tr' => 2,
                'td' => 2,
                'div' => 2
 
        );

        if ($allow_font == true)
        {
                $approvedtags['font'] = 2;
                $approvedtags['big'] = 1;
                $approvedtags['sup'] = 1;
                $approvedtags['sub'] = 1;
        }

        if ($allow_img == true)
                $approvedtags['img'] = 2;

        if ($allow_lists == true)
        {
                $approvedtags['li'] = 1;
                $approvedtags['ol'] = 1;
                $approvedtags['ul'] = 1;
        }

        $keys = array_keys($approvedtags);

        $str = stripslashes($str);
        $str = eregi_replace("<[[:space:]]*([^>]*)[[:space:]]*>","<\\1>",$str);
        $str = eregi_replace("<a([^>]*)href=\"?([^\"]*)\"?([^>]*)>","<a href=\"\\2\">", $str);

        $tmp = '';
        while (eregi("<([^> ]*)([^>]*)>",$str,$reg))
        {
                $i = strpos($str,$reg[0]);
                $l = strlen($reg[0]);
                if ($reg[1][0] == "/")
                        $tag = strtolower(substr($reg[1],1));
                else
                        $tag = strtolower($reg[1]);

                if ((in_array($tag, $keys))&&($a = $approvedtags[$tag]))
                {
                        if ($reg[1][0] == "/")
                                $tag = "</$tag>";
                        elseif ($a == 1)
                                $tag = "<$tag>";
                        else
                                $tag = "<$tag " . $reg[2] . ">";
                }
                else
                        $tag = '';

                $tmp .= substr($str,0,$i) . $tag;
                $str = substr($str,$i+$l);
        }

        $str = $tmp . $str;

        // Squash PHP tags unconditionally
        $str = ereg_replace("<\?","NO PHP ALLOWED",$str);
        $str = ereg_replace("<?php","NO PHP ALLOWED",$str);

        // Squash SCRIPT Tags unconditionally
        $str = ereg_replace("<script","NO SCRIPT ALLOWED",$str);


        // Squash comment tags unconditionally
        $str = ereg_replace("<!--","NO COMMENT TAGS ALLOWED",$str);

        return $str;
}


function process_message_preview($message)
{
    global $vbulletin, $vbphrase, $stylevar, $show;

    require_once(DIR . '/includes/class_bbcode.php');
    $bbcode_parser =& new vB_BbCodeParser($vbulletin, fetch_tag_list());

    $previewhtml = '';
    if ($previewmessage = $bbcode_parser->do_parse($message, $do_html = true, $do_smilies = true, $do_bbcode = true, $do_imgcode = true, $do_nl2br = true, $cachable = false))
    {
        $previewhtml = $previewmessage;

    }
 
    return $previewhtml;



$mypage = unhtmlspecialchars(process_message_preview($vbulletin->userinfo['field65']));

$mypage = Safehtml($mypage);

eval('$mypage = "' . fetch_template('user_custompage') . '";');
See there where it says 'field65'? Thats where you put your profile field number.

Now all that you have to do is put $mypage in whatever template you want your user's custom profile field html to show.

This is possibly the most unsafe hack ever for your website, but it demonstrates a really cool principal that by specifying which tags a user can use, they can make a website. And yes, if they mess up the code, everyone will see your website all broken. ;)

This is my first whack at posting something i've hacked together, so please bear with me ;)

Here is a link to see it in action. All the stuff you see between the "MOD STARTS HERE" and "MOD STOPS HERE" is a profile field.

http://www.quad4forums.com/test/member.php?u=3472

Here is the code i've entered in the profile field. I spent about 30 seconds on it, so its not a definitive example of whats possible, but it gets the idea across. I've also added the script tag so you can view my page's source and notice its not there.

(I have to use strikeout so vbulletin.org doesn't parse the bbcode)

MOD STARTS HERE
<B><TABLE style="width: 100%; padding: 0px; border: 1px; border: 1px solid #789DB3; background-image: url(http://www.travelblog.org/Wallpaper/pix/waterfall_desktop_background-1600x1200.jpg)"><TD>
<p align="center">
[B]Here is my test page[/B]
[img]http://mediaengine.org/mitcht/gallery/albums/misc/My_Car_010.sized.jpg[/img]
</p>
<TR></TR> </TD></B></table>
<DIV>
<SCRIPT>
<?

MOD ENDS HERE

BTW. This is my test forum, so its not going to be doing much!

dxflw 04-06-2009 08:52 PM
hmm any screen shots?

carcomp 04-06-2009 08:58 PM
Go to that link I just linked you to. A screenshot would be kinda pointless because WHATEVER you write in html, becomes the page. Its so customizable its almost ridiculous. It pretty much exactly duplicated the myspace css thing.

Jasem 04-07-2009 08:27 AM
thank you!

ahmed-samara 04-07-2009 10:27 AM
it's open way to hacker my website by bbcode $ Html that is not secur

gwerzal 04-07-2009 01:20 PM
Will take a look at this

Thanks

Sweeks 04-07-2009 01:25 PM
I would like to see this integrated with the current user customisation options. Allowing HTML and CSS within that would be awesome.
________
Vaporizer Vulcano

EagleNick 04-08-2009 12:24 AM
I don't understand why you striked out the text. Why don't you just use the [noparse] bbcode if you don't want certain code parsed?

carcomp 04-08-2009 02:49 PM
Ok didn't even see that! Also, it *shouldn't* allow hacking because you specify the tags you want. So only allow <B> tag and thats the ONLY html tag that works. Allow the <DIV> tag and that opens up "myspace style" website design. I'm really suprised that hasn't been done before.


FACEPALM!
https://vborg.vbsupport.ru/external/2009/05/55.jpg

monkeyboy1916 05-22-2009 10:19 PM
I'm looking for something a bit similar.. but I can make this work for what I need, just having a slight problem..

When I view other profiles, it shows my info where theirs should be (from the newly created field), any idea on a fix?

TheLastSuperman 05-22-2009 11:11 PM
Quote:
Originally Posted by carcomp (Post 1786621)
Ok didn't even see that! Also, it *shouldn't* allow hacking because you specify the tags you want. So only allow <B> tag and thats the ONLY html tag that works. Allow the <DIV> tag and that opens up "myspace style" website design. I'm really suprised that hasn't been done before.


FACEPALM!
http://www.facepalm.org/images/03.jpg
Aye! That's no face palm lol, that's when Data says something over the top OR Ryker just came back from Diana's office w/ a smile on his face :p

Can you clean up your mod post when you see this, it shows the incomplete code and where the hello did that "<?" come from ;)

<b><table style="width: 100%; padding: 0px; border: 1px; border: 1px solid #789DB3; background-image: url(http://www.travelblog.org/Wallpaper/pix/waterfall_desktop_background-1600x1200.jpg)"><td ><p align="center"><b>Here is my test page</b><br>

Code:
<img  src = "http://mediaengine.org/mitcht/gallery/albums/misc/My_Car_010.sized.jpg" /><br>
<a  href="http://mediaengine.org/mitcht/gallery/albums/album02/New_Car_1_003.sized.jpg"><img  src="http://mediaengine.org/mitcht/gallery/albums/album02/New_Car_1_003.sized.jpg" border="0" alt="Click the image to open in full size." class="tcattdimgresizer"  /></a><a  href="http://mediaengine.org/mitcht/gallery/albums/album07/draven_bday_003.sized.jpg"><img  src="http://mediaengine.org/mitcht/gallery/albums/album07/draven_bday_003.sized.jpg" border="0" alt="Click the image to open in full size." class="tcattdimgresizer"  /></a></p><tr ></tr> </td></b></table>
<BR />
And more details for the "members" :D

Quote:
Originally Posted by monkeyboy1916 (Post 1815472)
I'm looking for something a bit similar.. but I can make this work for what I need, just having a slight problem..

When I view other profiles, it shows my info where theirs should be (from the newly created field), any idea on a fix?
Newly created field pulls the info from your profile when YOU view, you need to code this differently to show who's info it is in the page, this can be done via postbit templates.

kalisekj 06-27-2009 11:40 PM
This is just what I was looking for , allowing me to create custom user profile fields that allow the users to install widgets on their profiles.

"Newly created field pulls the info from your profile when YOU view, you need to code this differently to show who's info it is in the page, this can be done via postbit templates."

Please tell me exactly what needs to be done so when a person goes to anothers profile they see that persons info/widget?

kalisekj 06-28-2009 03:00 PM
Please can someone elaborate how how to make this show that specific users custom field and not my custom field on their profile pages? This is a GREAT Hack! I will definitely nominate this for mod of the month if I can just have this small problem resolved. This allows me to let the users customize their Profile pages with their own widgets, just like all the major social sites out there like Myspace, Hi5, Tagged, Facebook and many others. Awesome Idea!

kalisekj 06-28-2009 03:23 PM
Quote:
Originally Posted by ahmed-samara (Post 1785656)
it's open way to hacker my website by bbcode $ Html that is not secure
Html Is already allowed in many areas of VB, If you back up your site nightly you should not worry as much.
Truly folks, people hacking your site via html or BB Code is very unlikely to happen, most of our sites are not worth their time and trouble. You can specify exactly which codes you will allow. I see most of the social sites out there enabling widgets and html on their servers and user pages IE: MySpace, Facebook, Hi5, Tagged just to name a few and funny thing is they are not going down because of some hacker. ;)

deadlySniper 06-28-2009 03:28 PM
Nice, thanks.

kalisekj 06-28-2009 06:34 PM
I sure wish I knew all this coding, Surely this should be easy for any VB Coder to help us resolve?

kalisekj 06-28-2009 07:56 PM
This appears to be much more difficult than first thought, Coder here is using the code $mypage = unhtmlspecialchars(process_message_preview($vbulle tin->userinfo['field9']));
Which pulls the current users custom field info, to pull the custom field info from the profile page owner you need to use $userinfo [field9] which unfortunately stops making this mod work. I am stumped I have spent over a day trying to resolve this issue all on my own, I have posted many pm's, threads and posts on multiple boards for help on this supposedly easy coding fix but no one has responded. :(

kalisekj 06-30-2009 12:03 AM
It appears since the code is not running from the user profile page that it is unable to pull that users custom field info. :( Truly sad no other coders other than TheLastSuperman, many thanks for his time on trying to help on this matter, have even responded to my queries and hopes on this mod. This Mod has such great potential for truly changing and modifying user profiles. The ability to add in user widgets is a stupendous idea. More simply would be a way to run HTML code from custom user fields. There has to be a way to enable this in VB, I know the risks involved in allowing HTML, but I should have the option of what I allow and what I risk when its my web site. Security risks are to be taken by the web site admins not governed by the software developers.

kalisekj 07-01-2009 10:53 PM
Well I guess I GIVE UP since no one else is interested in giving an answer or helping in any way. This could truly have been a great Mod. Even the coder is ignoring Pm's as well as his Mod Thread here. :(

carcomp 07-03-2009 07:35 PM
I've been a long while away from the site. My family and I went to Florida for 3 weeks and we've come back and been remodeling the house! I'm going to read through all of the things you've asked me and then post a response her.

carcomp 07-03-2009 07:38 PM
Quote:
Originally Posted by TheLastSuperman (Post 1815486)
Aye! That's no face palm lol, that's when Data says something over the top OR Ryker just came back from Diana's office w/ a smile on his face :p

Can you clean up your mod post when you see this, it shows the incomplete code and where the hello did that "<?" come from ;)

<b><table style="width: 100%; padding: 0px; border: 1px; border: 1px solid #789DB3; background-image: url(http://www.travelblog.org/Wallpaper/pix/waterfall_desktop_background-1600x1200.jpg)"><td ><p align="center"><b>Here is my test page</b><br>

Code:
<img  src = "http://mediaengine.org/mitcht/gallery/albums/misc/My_Car_010.sized.jpg" /><br>
<a  href="http://mediaengine.org/mitcht/gallery/albums/album02/New_Car_1_003.sized.jpg"><img  src="http://mediaengine.org/mitcht/gallery/albums/album02/New_Car_1_003.sized.jpg" border="0" alt="Click the image to open in full size." class="tcattdimgresizer"  /></a><a  href="http://mediaengine.org/mitcht/gallery/albums/album07/draven_bday_003.sized.jpg"><img  src="http://mediaengine.org/mitcht/gallery/albums/album07/draven_bday_003.sized.jpg" border="0" alt="Click the image to open in full size." class="tcattdimgresizer"  /></a></p><tr ></tr> </td></b></table>
<BR />
And more details for the "members" :D



Newly created field pulls the info from your profile when YOU view, you need to code this differently to show who's info it is in the page, this can be done via postbit templates.

The incomplete code and the ?> is there just to demonstrate what it will strip out from a user's code if they try to write a script on your site with this mod installed. I guess I didn't explain it very well. I also just wanted to demonstrate that if a person was to type in some completely terrible code, it would still parse it and display something worth looking at. I know this isn't 'standard HTML' or whatever, but most people on a vbulletin site just want stuff to look good to themselves ;)

carcomp 07-03-2009 07:42 PM
Quote:
Originally Posted by kalisekj (Post 1838870)
Please can someone elaborate how how to make this show that specific users custom field and not my custom field on their profile pages? This is a GREAT Hack! I will definitely nominate this for mod of the month if I can just have this small problem resolved. This allows me to let the users customize their Profile pages with their own widgets, just like all the major social sites out there like Myspace, Hi5, Tagged, Facebook and many others. Awesome Idea!
If you create a custom field, you just specify which custom field number is created in this line of my code...

$mypage = unhtmlspecialchars(process_message_preview($vbulle tin->userinfo['field65']));

vbulletin happened to make the custom field '65' when I created it, so I just put that number into the above line. It could be anything.

kalisekj 08-31-2009 01:04 PM
I have it working right, except when I go to someone's profile page it show my custom field / HTML not theirs. :( I want to go to peoples profiles and see their custom field /HTML.

rickrichards82 09-04-2009 03:37 AM
great idea!

can't get it to work though. it will only show MY info not the info of the person i am looking at. also, i can only add the info to the MEMBERINFO template. i would like to add it to the memberinfo_block_aboutme template.

CCV_Pinto 09-06-2009 04:36 AM
I think that to show the info of the person (not your own info), you have to change from:

$mypage = unhtmlspecialchars(process_message_preview($vbulle tin->userinfo['field65']));

to

$mypage = unhtmlspecialchars(process_message_preview($userin fo['field65']));

because the $vbulletin->userinfo referer to yourself, and $userinfo will referer to the person of the profile your are visiting

ps:
pay attention that the variable $userinfo wont be always available
I think this variable is defined only in profile pages, so you would have to add a verification like:

if($userinfo)

nothing4me 09-06-2009 09:54 PM
Quote:
Originally Posted by kalisekj (Post 1877157)
I have it working right, except when I go to someone's profile page it show my custom field / HTML not theirs. :( I want to go to peoples profiles and see their custom field /HTML.
Agreed! :(


All times are GMT. The time now is 06:19 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01193 seconds
  • Memory Usage 1,826KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (3)bbcode_code_printable
  • (6)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (26)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete