[SOLVED] Possible security issue with comments

wbarek

Joined: 2007-05-02
Posts: 153

Posted: Wed, 2009-09-30 19:13

I have just noticed that anybody can enter comments with html code and it is displayed without moderating. I still like visitors to enter comments but with the approval of the admin. It would be nice that when they input a comment it will display a note that their comment has been queued for approval as their feedback. Is it possible?
Thanks William

floridave

Joined: 2003-12-22
Posts: 22892

Posted: Wed, 2009-09-30 19:25

HTML behavior has changed. Please update to a experimental version and test again.
You might want to use html and then you need the purifier module:
http://codex.gallery2.org/Gallery3:Modules:purifier

There is not a aproval module yet but you can use the notification module.

Dave

_____________________________________________
Blog & G2 || floridave - Gallery Team

nivekiam

Joined: 2002-12-10
Posts: 16503

Posted: Wed, 2009-09-30 20:19

And there is the Akismet and reCaptcha modules to help combat spam. Using the purifier module should make all html safe, without that module the HTML is displayed without rendering:
<b>test</b>

instead of test
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

wbarek

Joined: 2007-05-02
Posts: 153

Posted: Wed, 2009-09-30 21:01

nivekian, thanks for the tip, but I do run purifier module since I wanted html rendered in my image description field. So it is also working for comments. I just disabled comments for now because to my thinking if anyone can write a html code into comment there could be hidden malicious code or a link to malicious code on which curious people could click. There really should be approval process in place for any comments before it is displayed. Don't you think so?
Thanks William

nivekiam

Joined: 2002-12-10
Posts: 16503

Posted: Wed, 2009-09-30 21:22

That's exactly what the purifier module is for. Clean any malicious stuff out. But I haven't looked that closely I guess they could "hide" a link by making the text the same color as the background, if that doesn't get stripped out, I'm not sure. But between reCaptcha to keep the robots out and Akismet that should keep any of that spam junk out.

As Dave said, someone will need to create a moderation module, that's not part of core.
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

wbarek Joined: 2007-05-02 Posts: 153	Posted: Wed, 2009-09-30 19:13
	I have just noticed that anybody can enter comments with html code and it is displayed without moderating. I still like visitors to enter comments but with the approval of the admin. It would be nice that when they input a comment it will display a note that their comment has been queued for approval as their feedback. Is it possible? Thanks William
	XUser login Username: * Password: * Create new account Request new password
floridave Joined: 2003-12-22 Posts: 22892	Posted: Wed, 2009-09-30 19:25
	HTML behavior has changed. Please update to a experimental version and test again. You might want to use html and then you need the purifier module: http://codex.gallery2.org/Gallery3:Modules:purifier There is not a aproval module yet but you can use the notification module. Dave _____________________________________________ Blog & G2 \|\| floridave - Gallery Team

nivekiam Joined: 2002-12-10 Posts: 16503	Posted: Wed, 2009-09-30 20:19
	And there is the Akismet and reCaptcha modules to help combat spam. Using the purifier module should make all html safe, without that module the HTML is displayed without rendering: <b>test</b> instead of test ____________________________________________ Like Gallery? Like the support? Donate now!!! See G2 live here

wbarek Joined: 2007-05-02 Posts: 153	Posted: Wed, 2009-09-30 21:01
	nivekian, thanks for the tip, but I do run purifier module since I wanted html rendered in my image description field. So it is also working for comments. I just disabled comments for now because to my thinking if anyone can write a html code into comment there could be hidden malicious code or a link to malicious code on which curious people could click. There really should be approval process in place for any comments before it is displayed. Don't you think so? Thanks William

nivekiam Joined: 2002-12-10 Posts: 16503	Posted: Wed, 2009-09-30 21:22
	That's exactly what the purifier module is for. Clean any malicious stuff out. But I haven't looked that closely I guess they could "hide" a link by making the text the same color as the background, if that doesn't get stripped out, I'm not sure. But between reCaptcha to keep the robots out and Akismet that should keep any of that spam junk out. As Dave said, someone will need to create a moderation module, that's not part of core. ____________________________________________ Like Gallery? Like the support? Donate now!!! See G2 live here

[SOLVED] Possible security issue with comments

XUser login