Search in:

MonoX support board

Start the conversation, ask questions and share tips and solutions with fellow developers.

Non-registered users can only browse through our support boards. Please register now if you want to post your questions. It takes a second and it is completely free. Alternatively, you can log in without registration using your credentials at major sites such as Google, Microsoft Live, OpenId, Facebook, LinkedIn or Yahoo.
Back to all discussion topics

How to customize the HTML Editor to allow posting embedded codes (iframe) from Youtube?  (Mono Support )

Viewed 33259 time(s), 11 post(s) 09.11.2013 03:55:11by bkkmono
bkkmono

bkkmono

09.11.2013 04:14:20
Hello,

I tried to post a embedded code from Youtube in the Html Editor while creating a topic post in a Discussion Board, but the code was encoded into words instead of interpreting the iframe code to display a video clip. I know that Html Editor in the text area of a discussion board uses CustomRadEditor to show the editor tools but I don't know how to add or remove each funtion in the Html Editor. 

How to customize the HTML Editor to allow posting embedded codes (iframe) from Youtube?
Dieser Inhalt wurde noch nicht bewertet. 
434 Reputation 51 Total posts
khorvat

khorvat

09.11.2013 06:44:26
You will have to enable html mode on that editor in order to post that type of content.

Regards
Dieser Inhalt wurde noch nicht bewertet. 
15993 Reputation 2214 Total posts
bkkmono

bkkmono

09.11.2013 14:07:32
OK, i get it. I edited this xml file: "DiscussionRadEditorToolsFile.xml" to add or remove tools on it.
Dieser Inhalt wurde noch nicht bewertet. 
434 Reputation 51 Total posts
Zoomicon

Zoomicon

09.11.2013 19:02:27
If it allows you to enter ANY HTML you should be careful where you allow it. People could inject unwanted/malicious behaviour into your website like that.
Dieser Inhalt wurde noch nicht bewertet. 
2793 Reputation 345 Total posts
bkkmono

bkkmono

09.11.2013 21:22:12
Thank you Zoomicon for suggestion. I think Javascript is disabled by default although HTML would be allowed to post. I just tested by posting a Javascript code in a blog post, then it vanished and didn't work.

However, this may be more obvious if Monox's staff would answer this concern.
Dieser Inhalt wurde noch nicht bewertet. 
434 Reputation 51 Total posts
bkkmono

bkkmono

09.11.2013 21:40:47
Bad news update: I just tested adding a Javascript code in a comment of a blog. The result is that Javascript can run on MonoX by everyone!!

As a result, a spammer could attack my site by posting malicious Javascript code on a comment of a blog.
Dieser Inhalt wurde noch nicht bewertet. 
434 Reputation 51 Total posts
bkkmono

bkkmono

09.11.2013 23:18:26
I added ValidateRequest="true" in the tag: <%@ Page of Blog.aspx in order to prevent users from posting Javascript code or even Html code in comments of blog posts. It is working fine.
Dieser Inhalt wurde noch nicht bewertet. 
434 Reputation 51 Total posts
khorvat

khorvat

10.11.2013 09:43:39
Hi,

  Did you try to post the Javascript on Blog comments while being logged in as Administrator, ordinary user or you haven't been loged in at all?

Btw officially support team is not working over the weekend.

Thanks for the feedback.
Dieser Inhalt wurde noch nicht bewertet. 
15993 Reputation 2214 Total posts
khorvat

khorvat

11.11.2013 08:30:37
Just to confirm that posting a comment on Blog as unauthenticated user doesn't allow you to inject any kind of Javascript.

Please let us know how did you manage to "inject" any kind of Javascript in the comment, as per my previous question.

Thanks
Dieser Inhalt wurde noch nicht bewertet. 
15993 Reputation 2214 Total posts
Zoomicon

Zoomicon

11.11.2013 09:35:00

do you mean unauthorized (non admin or some extra roles?) when you say unauthenticated?

cause registering as a user is usually free and doesn't stop an attacker

also social engineering might trick a moderator so I'd prefer default to be only for admins or even turned off at web.config or something

how can one check (some SQL query maybe?) for already injected javascript?

btw, even allowing object and embed can deface a site or trick the user etc. (or do some xss exploit depending on the web browser), so they should be at the same level of protection as scripts and other html (eg wouldn't want a float in a comment to go over your content)

Dieser Inhalt wurde noch nicht bewertet. 
2793 Reputation 345 Total posts
1 2
MonoX Nightly Builds MonoX Gallery MonoX Roadmap Mono Software at GitHub
Additional Resources

  • Send us an e-mail

MonoX is a Mono product. mono