[AJAX] vBShout v2.0

[high]Staff Edit/Update[/high]

I have released an updated version of this hack (version 2.0.1), this version fixes some security issues with this hack. All version prior to this one allow users to insert html in their shouts, this can cause problems with them using html that breaks the site layout or malicious javascript. Download the new zip file (vBshout_fixed.zip) and upload the new vbshout.php file to patch/upgrade. If you want to manual instructions they are in the zip file, in the file bugfixes.txt

Second Staff update

I've uploaded a new version of this hack, dubbed '2.0.2'. This one should fix the html injection issues without breaking special characters. To upgrade, download the new zip file and upload the new vbshout.php file.

Please note that this only fixes the html injection issues. I do not use this hack on my own forum (although I've tested this on a client's board) so I will not be fixing the server load issues. I suggest you do not install this hack if you can't deal with the extra server load, as it's rather intensive.

- Brad

[high]End staff edit[/high]

Well, been a while since I've been to vb.org and released anything, thought i'd break the trend and whip up something quick while I have a little spare time.

A shoutbox as you would assume, a very simple one to start off with, but does include AJAX Technology, which pushes the shoutbox 1 step closer to live, messages from other people will appear with no refreshing, and so will yours that you post

A preview is below, i'd estimate a 50 second installation max

Primary Features:
- AJAX Technology (no refreshing)
- Administration control an display element options
- Fast format editor

Change Log::

- v1.1:
WOL (Who's Online) Correction

- v1.2:
New Posting Featurs (Bold/Italic/Underline/Colour/Font)
Admin Controls

- Change location/position of shoutbox
- Change number of shouts displayed
- Switch vbcode/similes on/off

- v1.3
Firefox javascript issue fixed
New Admin Controls

- Command Activation
- Swtch extra format options on/off
- Change position of editor (above/below messages)

New Commands

- /prune (Clears the shoutbox completely)
- /prune [username] (Clears all shouts posted by specified user)

- v1.4
Usergroup HTML Markup For Usernames
Clear Editor Button
Emoticons Pop Up Menu
Time display configurated to vBulletin settings
Username Links To Profile
New Admin Conrols

New vBShout Position (Directly Above Forums)
Banned Users
Banned Usergroups
Banned Permissions
Smilie Pop-Up Box Height
Smilie Pop-Up Box Width

New Commands

"/me" - Action message (all users are able to use this command)
/pruneshout [shout] - Deletes a single shout

- v1.5
Improved Smilies Display
XHTML 1.0 Transitional Valid (couple of errors fixed)
New Admin Options

Shoutbox Height
Smilies To Show
Shout Messages Order
Banned Permissions (fixed)

- v1.6
Bug Fixes:

- Unable to delete shouts that used /me command fixed
- Shouts being displayed from bottom-upwards only showed first 20 shouts

Automatically parses URL's

- v2.0
New Archive

- Displays shouts and pages
- Stats and top 10 shouters
- AJAX Edit/Delete (staff can edit/delete all shouts)

Enjoy,

- Zero Tolerance

[Raptor]

ive tested - yes indeed it does fix

can i have this confirmed please

[Raptor]

Quote:

Originally Posted by Dollah

i uploaded everything box show fine but it keeps saying loading whats that all about.
i can type but it loads or show nuthing. i use firefox 1.5 if that helps u help me..thanx in advance

ive found it doesnt work on firefox v1.5 but does on v1.7

[Chris M]

Quote:

Originally Posted by Raptor

ive found it doesnt work on firefox v1.5 but does on v1.7

There is no 1.7...

Chris

[Raptor]

sorry i was thinking of mozilla

[Dollah]

Quote:

Originally Posted by Raptor

there is a security flaw if you direct link to vbshout.php - you can execute java and html

this should fix

Code:

// ---------------------------------------------------
// Shout
// ---------------------------------------------------
if ($_POST['do'] == 'shout')
{
$vbulletin->input->clean_array_gpc('p', array(
'shout' => TYPE_STR,


if you change that to

// ---------------------------------------------------
// Shout
// ---------------------------------------------------
if ($_POST['do'] == 'shout')
{
$vbulletin->input->clean_array_gpc('p', array(
'shout' => TYPE_NOHTML,

which is;

http://www.vbulletin.com/docs/html/m...estandards_gpc

changes..
# TYPE_STR - Trimmed String (No leading or trailing whitespace)
to
# TYPE_NOHTML - Trimmed String sent through htmlspecialchars_uni()

im sorry i'm new at this where do i find this at please

[divided_by_fear]

well its seems its in the file like that 2 times do we replace both of the 'shout' => TYPE_STR,
with 'shout' => TYPE_NOHTML,

[Raptor]

Quote:

Originally Posted by Dollah

im sorry i'm new at this where do i find this at please

in the vbshout.php of course

[Raptor]

Quote:

Originally Posted by divided_by_fear

well its seems its in the file like that 2 times do we replace both of the 'shout' => TYPE_STR,
with 'shout' => TYPE_NOHTML,

the hole is in the first one - no need to change anything else

as a test i looked at a couple of forums with shoutbox installed - it was very very easy to run custom javascript on their forums - this hole is actually very dangerous - all the users need to fix

[divided_by_fear]

would it hurt to change the second one ? cause i had changed mine already everything still works... just want to make sure its ok

[Snake]

Quote:

Originally Posted by Raptor

the hole is in the first one - no need to change anything else

as a test i looked at a couple of forums with shoutbox installed - it was very very easy to run custom javascript on their forums - this hole is actually very dangerous - all the users need to fix

And what would happen if we don't?

[Dollah]

THANX INSTALLED EVERYTHING IS WERKING CORRECTLY ALSO in 3.5.1 i did not nee to change any templates excellent......

[bi11i]

I've got this same problem - does anyone yet have a solution for it?

Quote:

Originally Posted by Feckie (Roger)

When I ban user groups the following message is displayed in the shoutbox
any idea's

[apokphp]

61 pages, I tried to search but didn't find anything helpful...

My members cannnot edit their own shouts despite them having the button to do so and the ability to open their shout to edit it. When they try to save their edit, it simply does NOT save.

I'd like this enabled for my members, but don't see a way to do so. Can someone help?

[DjTaz]

I had to uninstall this - it slowed my site down too much - sorry

[Booth]

Quote:

Originally Posted by Wachtmeister

Hi all,

ist there any way to include the shoutbox into my arcade.php also? I'm not using the add-on "vbshout on all pages". I only want the box on forumhume, vbadvanced portal AND v3arcade. Maybe i can add some additional code to my arcade.php?

Best wishes, Wachtmeister

Yep, I'd like the shoutbox at the bottom of V3arcade pages too :nervous: