Go Back   vb.org Archive > vBulletin Modifications > vBulletin 3.8 Modifications > vBulletin 3.8 Add-ons
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools
Custom User Pages - Users make pages using html/bbcode on any template safely Details »»
Custom User Pages - Users make pages using html/bbcode on any template safely
Version: 1.00, by carcomp carcomp is offline
Developer Last Online: Jun 2012 Show Printable Version Email this Page

Category: BB Code Enhancements - Version: 3.8.2 Rating:
Released: 04-05-2009 Last Update: Never Installs: 10
Uses Plugins Template Edits
 
No support by the author.

Ok this is just something i've been slapping together the past few days, using code from here, google, and whatnot. I didn't write 99% of it, but I thought up the idea!

Ok heres the deal. You want your users to be able to customize a page such as MEMBERINFO. Problem is, really customizations all look EXACTLY the same. So I thought, why not let the users just program their own html css stuff like on myspace, as well as allow bbcode. If it messes up their memberinfo page, so what. Its their own fault and they should fix it. (My members are really a close knit family of computer / car people so I think they can handle this). I trust most of them, but since this mod only allows what you specify, you can't add things like <SCRIPT> tags or php code etc.

The following code works in conjunction with a custom template and an eval'd variable.

To get this to work, you first have to create a new custom profile field. I don't know what the number of this field will be, so you'll have to figure that one out yourself. You should probably specify a multi line field with a lot of space. Once you create the profile field, enter the number in the code below.

Next, you need to create a new template. Call it user_custompage. In this template, put one line...

$mypage


Then, create a plugin and link it to global_start

in the plugin, put the following code...

Code:
function SafeHTML($str, $allow_font = true, $allow_img = true, $allow_lists = true)
{
	$approvedtags = array(
		'p' => 2,   		// 2 means accept all qualifiers: <foo bar>
		'b' => 1,   		// 1 means accept the tag only: <foo>
		'i' => 1,
		'u' => 1,
		's' => 1,
		'a' => 2,
		'em' => 1,
		'br' => 1,
		'strong' => 1,
		'strike' => 1,
		'blockquote' => 1,
		'tt' => 1,
		'hr' => 1,
		'table' => 2,
		'tr' => 2,
		'td' => 2,
		'div' => 2
 
	);

	if ($allow_font == true)
	{
		$approvedtags['font'] = 2;
		$approvedtags['big'] = 1;
		$approvedtags['sup'] = 1;
		$approvedtags['sub'] = 1;
	}

	if ($allow_img == true)
		$approvedtags['img'] = 2;

	if ($allow_lists == true)
	{
		$approvedtags['li'] = 1;
		$approvedtags['ol'] = 1;
		$approvedtags['ul'] = 1;
	}

	$keys = array_keys($approvedtags);

	$str = stripslashes($str);
	$str = eregi_replace("<[[:space:]]*([^>]*)[[:space:]]*>","<\\1>",$str);
	$str = eregi_replace("<a([^>]*)href=\"?([^\"]*)\"?([^>]*)>","<a href=\"\\2\">", $str);

	$tmp = '';
	while (eregi("<([^> ]*)([^>]*)>",$str,$reg))
	{
		$i = strpos($str,$reg[0]);
		$l = strlen($reg[0]);
		if ($reg[1][0] == "/")
			$tag = strtolower(substr($reg[1],1));
		else
			$tag = strtolower($reg[1]);

		if ((in_array($tag, $keys))&&($a = $approvedtags[$tag]))
		{
			if ($reg[1][0] == "/")
				$tag = "</$tag>";
			elseif ($a == 1)
				$tag = "<$tag>";
			else
				$tag = "<$tag " . $reg[2] . ">";
		}
		else
			$tag = '';

		$tmp .= substr($str,0,$i) . $tag;
		$str = substr($str,$i+$l);
	}

	$str = $tmp . $str;

	// Squash PHP tags unconditionally
	$str = ereg_replace("<\?","NO PHP ALLOWED",$str);
        $str = ereg_replace("<?php","NO PHP ALLOWED",$str);

        // Squash SCRIPT Tags unconditionally
        $str = ereg_replace("<script","NO SCRIPT ALLOWED",$str);


	// Squash comment tags unconditionally
	$str = ereg_replace("<!--","NO COMMENT TAGS ALLOWED",$str);

	return $str;
}


function process_message_preview($message)
{
    global $vbulletin, $vbphrase, $stylevar, $show;

    require_once(DIR . '/includes/class_bbcode.php');
    $bbcode_parser =& new vB_BbCodeParser($vbulletin, fetch_tag_list());

    $previewhtml = '';
    if ($previewmessage = $bbcode_parser->do_parse($message, $do_html = true, $do_smilies = true, $do_bbcode = true, $do_imgcode = true, $do_nl2br = true, $cachable = false))
    {
        $previewhtml = $previewmessage;

    }
   
    return $previewhtml;
}  


$mypage = unhtmlspecialchars(process_message_preview($vbulletin->userinfo['field65']));

$mypage = Safehtml($mypage);

eval('$mypage = "' . fetch_template('user_custompage') . '";');
See there where it says 'field65'? Thats where you put your profile field number.

Now all that you have to do is put $mypage in whatever template you want your user's custom profile field html to show.

This is possibly the most unsafe hack ever for your website, but it demonstrates a really cool principal that by specifying which tags a user can use, they can make a website. And yes, if they mess up the code, everyone will see your website all broken.

This is my first whack at posting something i've hacked together, so please bear with me

Here is a link to see it in action. All the stuff you see between the "MOD STARTS HERE" and "MOD STOPS HERE" is a profile field.

http://www.quad4forums.com/test/member.php?u=3472

Here is the code i've entered in the profile field. I spent about 30 seconds on it, so its not a definitive example of whats possible, but it gets the idea across. I've also added the script tag so you can view my page's source and notice its not there.

(I have to use strikeout so vbulletin.org doesn't parse the bbcode)

MOD STARTS HERE
<B><TABLE style="width: 100%; padding: 0px; border: 1px; border: 1px solid #789DB3; background-image: url(http://www.travelblog.org/Wallpaper/pix/waterfall_desktop_background-1600x1200.jpg)"><TD>
<p align="center">
[B]Here is my test page[/B]
[img]http://mediaengine.org/mitcht/gallery/albums/misc/My_Car_010.sized.jpg[/img]
</p>
<TR></TR> </TD></B></table>
<DIV>
<SCRIPT>
<?

MOD ENDS HERE

BTW. This is my test forum, so its not going to be doing much!

Screenshots

File Type: jpg justademo.jpg (37.2 KB, 0 views)

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.
Благодарность от:
TheLastBatman

Comments
  #12  
Old 05-22-2009, 11:11 PM
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
Senior Member
 
Join Date: Sep 2008
Location: North Carolina
Posts: 5,844
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by carcomp View Post
Ok didn't even see that! Also, it *shouldn't* allow hacking because you specify the tags you want. So only allow <B> tag and thats the ONLY html tag that works. Allow the <DIV> tag and that opens up "myspace style" website design. I'm really suprised that hasn't been done before.


FACEPALM!
Aye! That's no face palm lol, that's when Data says something over the top OR Ryker just came back from Diana's office w/ a smile on his face

Can you clean up your mod post when you see this, it shows the incomplete code and where the hello did that "<?" come from

<b><table style="width: 100%; padding: 0px; border: 1px; border: 1px solid #789DB3; background-image: url(http://www.travelblog.org/Wallpaper/pix/waterfall_desktop_background-1600x1200.jpg)"><td ><p align="center"><b>Here is my test page</b><br>

Code:
<img  src = "http://mediaengine.org/mitcht/gallery/albums/misc/My_Car_010.sized.jpg" /><br>
<a  href="http://mediaengine.org/mitcht/gallery/albums/album02/New_Car_1_003.sized.jpg"><img  src="http://mediaengine.org/mitcht/gallery/albums/album02/New_Car_1_003.sized.jpg" border="0" alt="Click the image to open in full size." class="tcattdimgresizer"  /></a><a  href="http://mediaengine.org/mitcht/gallery/albums/album07/draven_bday_003.sized.jpg"><img  src="http://mediaengine.org/mitcht/gallery/albums/album07/draven_bday_003.sized.jpg" border="0" alt="Click the image to open in full size." class="tcattdimgresizer"  /></a></p><tr ></tr> </td></b></table>
<BR />
And more details for the "members"

Quote:
Originally Posted by monkeyboy1916 View Post
I'm looking for something a bit similar.. but I can make this work for what I need, just having a slight problem..

When I view other profiles, it shows my info where theirs should be (from the newly created field), any idea on a fix?
Newly created field pulls the info from your profile when YOU view, you need to code this differently to show who's info it is in the page, this can be done via postbit templates.
Reply With Quote
  #13  
Old 06-27-2009, 11:40 PM
kalisekj kalisekj is offline
 
Join Date: Dec 2006
Posts: 250
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

This is just what I was looking for , allowing me to create custom user profile fields that allow the users to install widgets on their profiles.

"Newly created field pulls the info from your profile when YOU view, you need to code this differently to show who's info it is in the page, this can be done via postbit templates."

Please tell me exactly what needs to be done so when a person goes to anothers profile they see that persons info/widget?
Reply With Quote
  #14  
Old 06-28-2009, 03:00 PM
kalisekj kalisekj is offline
 
Join Date: Dec 2006
Posts: 250
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Please can someone elaborate how how to make this show that specific users custom field and not my custom field on their profile pages? This is a GREAT Hack! I will definitely nominate this for mod of the month if I can just have this small problem resolved. This allows me to let the users customize their Profile pages with their own widgets, just like all the major social sites out there like Myspace, Hi5, Tagged, Facebook and many others. Awesome Idea!
Reply With Quote
  #15  
Old 06-28-2009, 03:23 PM
kalisekj kalisekj is offline
 
Join Date: Dec 2006
Posts: 250
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by ahmed-samara View Post
it's open way to hacker my website by bbcode $ Html that is not secure
Html Is already allowed in many areas of VB, If you back up your site nightly you should not worry as much.
Truly folks, people hacking your site via html or BB Code is very unlikely to happen, most of our sites are not worth their time and trouble. You can specify exactly which codes you will allow. I see most of the social sites out there enabling widgets and html on their servers and user pages IE: MySpace, Facebook, Hi5, Tagged just to name a few and funny thing is they are not going down because of some hacker.
Reply With Quote
  #16  
Old 06-28-2009, 03:28 PM
deadlySniper deadlySniper is offline
 
Join Date: Dec 2008
Location: New York
Posts: 211
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Nice, thanks.
Reply With Quote
  #17  
Old 06-28-2009, 06:34 PM
kalisekj kalisekj is offline
 
Join Date: Dec 2006
Posts: 250
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I sure wish I knew all this coding, Surely this should be easy for any VB Coder to help us resolve?
Reply With Quote
  #18  
Old 06-28-2009, 07:56 PM
kalisekj kalisekj is offline
 
Join Date: Dec 2006
Posts: 250
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

This appears to be much more difficult than first thought, Coder here is using the code $mypage = unhtmlspecialchars(process_message_preview($vbulle tin->userinfo['field9']));
Which pulls the current users custom field info, to pull the custom field info from the profile page owner you need to use $userinfo [field9] which unfortunately stops making this mod work. I am stumped I have spent over a day trying to resolve this issue all on my own, I have posted many pm's, threads and posts on multiple boards for help on this supposedly easy coding fix but no one has responded.
Reply With Quote
  #19  
Old 06-30-2009, 12:03 AM
kalisekj kalisekj is offline
 
Join Date: Dec 2006
Posts: 250
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

It appears since the code is not running from the user profile page that it is unable to pull that users custom field info. Truly sad no other coders other than TheLastSuperman, many thanks for his time on trying to help on this matter, have even responded to my queries and hopes on this mod. This Mod has such great potential for truly changing and modifying user profiles. The ability to add in user widgets is a stupendous idea. More simply would be a way to run HTML code from custom user fields. There has to be a way to enable this in VB, I know the risks involved in allowing HTML, but I should have the option of what I allow and what I risk when its my web site. Security risks are to be taken by the web site admins not governed by the software developers.
Reply With Quote
  #20  
Old 07-01-2009, 10:53 PM
kalisekj kalisekj is offline
 
Join Date: Dec 2006
Posts: 250
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Well I guess I GIVE UP since no one else is interested in giving an answer or helping in any way. This could truly have been a great Mod. Even the coder is ignoring Pm's as well as his Mod Thread here.
Reply With Quote
  #21  
Old 07-03-2009, 07:35 PM
carcomp carcomp is offline
 
Join Date: Feb 2008
Posts: 75
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I've been a long while away from the site. My family and I went to Florida for 3 weeks and we've come back and been remodeling the house! I'm going to read through all of the things you've asked me and then post a response her.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 12:38 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.08038 seconds
  • Memory Usage 2,347KB
  • Queries Executed 26 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (2)bbcode_code
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (11)post_thanks_box
  • (1)post_thanks_box_bit
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (1)postbit_attachment
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_attachment
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete