MonoX support board

Start the conversation, ask questions and share tips and solutions with fellow developers.

Non-registered users can only browse through our support boards. Please register now if you want to post your questions. It takes a second and it is completely free. Alternatively, you can log in without registration using your credentials at major sites such as Google, Microsoft Live, OpenId, Facebook, LinkedIn or Yahoo.

How to customize the HTML Editor to allow posting embedded codes (iframe) from Youtube?  (Mono Support )

Viewed 21695 time(s), 11 post(s) 11/9/2013 3:55:11 AMby bkkmono
bkkmono

bkkmono

11/9/2013 4:14:20 AM
Hello,

I tried to post a embedded code from Youtube in the Html Editor while creating a topic post in a Discussion Board, but the code was encoded into words instead of interpreting the iframe code to display a video clip. I know that Html Editor in the text area of a discussion board uses CustomRadEditor to show the editor tools but I don't know how to add or remove each funtion in the Html Editor. 

How to customize the HTML Editor to allow posting embedded codes (iframe) from Youtube?
This content has not been rated yet. 
434 Reputation 51 Total posts
khorvat

khorvat

11/9/2013 6:44:26 AM
You will have to enable html mode on that editor in order to post that type of content.

Regards
This content has not been rated yet. 
15993 Reputation 2214 Total posts
bkkmono

bkkmono

11/9/2013 2:07:32 PM
OK, i get it. I edited this xml file: "DiscussionRadEditorToolsFile.xml" to add or remove tools on it.
This content has not been rated yet. 
434 Reputation 51 Total posts
Zoomicon

Zoomicon

11/9/2013 7:02:27 PM
If it allows you to enter ANY HTML you should be careful where you allow it. People could inject unwanted/malicious behaviour into your website like that.
This content has not been rated yet. 
2793 Reputation 345 Total posts
bkkmono

bkkmono

11/9/2013 9:22:12 PM
Thank you Zoomicon for suggestion. I think Javascript is disabled by default although HTML would be allowed to post. I just tested by posting a Javascript code in a blog post, then it vanished and didn't work.

However, this may be more obvious if Monox's staff would answer this concern.
This content has not been rated yet. 
434 Reputation 51 Total posts
bkkmono

bkkmono

11/9/2013 9:40:47 PM
Bad news update: I just tested adding a Javascript code in a comment of a blog. The result is that Javascript can run on MonoX by everyone!!

As a result, a spammer could attack my site by posting malicious Javascript code on a comment of a blog.
This content has not been rated yet. 
434 Reputation 51 Total posts
bkkmono

bkkmono

11/9/2013 11:18:26 PM
I added ValidateRequest="true" in the tag: <%@ Page of Blog.aspx in order to prevent users from posting Javascript code or even Html code in comments of blog posts. It is working fine.
This content has not been rated yet. 
434 Reputation 51 Total posts
khorvat

khorvat

11/10/2013 9:43:39 AM
Hi,

  Did you try to post the Javascript on Blog comments while being logged in as Administrator, ordinary user or you haven't been loged in at all?

Btw officially support team is not working over the weekend.

Thanks for the feedback.
This content has not been rated yet. 
15993 Reputation 2214 Total posts
khorvat

khorvat

11/11/2013 8:30:37 AM
Just to confirm that posting a comment on Blog as unauthenticated user doesn't allow you to inject any kind of Javascript.

Please let us know how did you manage to "inject" any kind of Javascript in the comment, as per my previous question.

Thanks
This content has not been rated yet. 
15993 Reputation 2214 Total posts
Zoomicon

Zoomicon

11/11/2013 9:35:00 AM

do you mean unauthorized (non admin or some extra roles?) when you say unauthenticated?

cause registering as a user is usually free and doesn't stop an attacker

also social engineering might trick a moderator so I'd prefer default to be only for admins or even turned off at web.config or something

how can one check (some SQL query maybe?) for already injected javascript?

btw, even allowing object and embed can deface a site or trick the user etc. (or do some xss exploit depending on the web browser), so they should be at the same level of protection as scripts and other html (eg wouldn't want a float in a comment to go over your content)

This content has not been rated yet. 
2793 Reputation 345 Total posts
1 2