Miscellaneous Hacks - Digital Point Spy

About
This is a Digg-style spy for seeing what's going on in your forum in realtime.

This is something I originally made about 4 years ago. Now that I rewrote it for vBulletin 4 (it also now uses the bundled YUI for animation), I decided to also wrap it up as a product package and release it for the world to use.

Installation

• Put the spy.php file in your forum folder.
• Put the digitalpoint_spy.js file in your clientscript folder.
• Install the product-digitalpoint_spy.xml product under AdminCP -> Plugins & Products -> Manage Products -> Add/Import Product

You can see a live version in action here:
http://forums.digitalpoint.com/spy.php


1.1.0 Update

• Moved JavaScript to external file (works around template parsing bug with early versions of vBulletin 4.0.x).
• XML generation is done with vBulletin's XML Builder class (let it deal with weird characters).
• Switched JavaScript library to from YUI to jQuery (for an end user, it means better animations).
• Changed do=xml to do=feed (works around servers that are overly protective and think they are trying to be hacked and blocking the request).

[tsptom]

Would it be possible to ignore the Edit Post rows?

What would need changed? Both the xml and the php files, or would just commenting out this line in the php do it?

Code:

12 => $vbphrase['edit_post'],

Update: Nevermind. Changed the SELECT in spy.php adding:

Code:

"AND action <> 12"

... to the where clause.

[datoneer]

vb 4.2.0 spy gone from community tab

[digitalpoint]

Quote:

Originally Posted by datoneer

vb 4.2.0 spy gone from community tab

Yep, they changed how tabs work in vB 4.2.0. From what I hear, they have an interface to create your own tabs fairly simply, but I haven't looked at it myself since I don't have access to a 4.2.0 installation yet.

[datoneer]

Yes i found it much better and easier now

[xyd]

To be honest, I'm disappointed I have to post this here.

This mod is still vulnerable to allowing a user to pass non-sanitized HTML to the spy window.

I approached the author around 6-8 months ago and informed him of this, however it is clear that he did nothing about it - didn't fix it, didn't inform users that they were using vulnerable software. While I understand it is hard to admit that you made a mistake when coding, it is even more of a mistake to allow people to run software on their site which is vulnerable to XSS. Cross site scripting ruins companies and ruins lives.





For those of you who want to fix this yourselves, simply edit spy.php and find the following line:

$xml->add_tag('preview', $event['preview']);

...and change it to:

$xml->add_tag('preview', strip_tags($event['preview']));

Do the right thing and fix your software before someone gets hit.

[digitalpoint]

Oh yeah... forgot I fixed that on my site years ago and never got around to uploading the new version here. Should be uploaded now.

[xyd]

Good stuff, thank you.

[Wseries]

Is there a way to increase the preview displayed for posts when looking at the spy.php page?

[blackberry]

Quote:

Originally Posted by dutchbb

Ok I understand.

Edit: found old backup of it and attached it for anyone interested. If you don't want them uploaded please contact so I can remove them.

its not working

[DefiantComplex]

Great mod, in fact this is way better then the default activity manager in vb4.2 lol.

Thanks for the share