MonoX support board

Start the conversation, ask questions and share tips and solutions with fellow developers.

Non-registered users can only browse through our support boards. Please register now if you want to post your questions. It takes a second and it is completely free. Alternatively, you can log in without registration using your credentials at major sites such as Google, Microsoft Live, OpenId, Facebook, LinkedIn or Yahoo.

How to customize the HTML Editor to allow posting embedded codes (iframe) from Youtube?  (Mono Support )

Viewed 21508 time(s), 11 post(s) 11/9/2013 3:55:11 AMby bkkmono
khorvat

khorvat

11/11/2013 10:13:50 AM
Sorry, I didn't explain myself correctly

"do you mean unauthorized (non admin or some extra roles?) when you say unauthenticated?"
- I meant if he was logged in as an Administrator as he is the only one allowed to put in content without the review.

"also social engineering might trick a moderator so I'd prefer default to be only for admins or even turned off at web.config or something"
This is allowed only for Admins and right now it's not possible to turn it off or on in the configuration.

"how can one check (some SQL query maybe?) for already injected javascript?"
- you should just search for javascript tag in MonoX tables via pure select query. But as I mentioned you shouldn't be able to inject the scripts as registered user or anonymous.

"btw, even allowing object and embed can deface a site or trick the user etc. (or do some xss exploit depending on the web browser), so they should be at the same level of protection as scripts and other html (eg wouldn't want a float in a comment to go over your content)"
Yes they are at the same level, with Admin exception I mentioned above

Regards 
This content has not been rated yet. 
15993 Reputation 2214 Total posts
1 2