Hello everyone,
I have a small problem with this extension.
In my case this extension does nothing. I mean I thought get <a href="#username">answer</a> but when you click this link, the username should automatically copied in comment box area like @username.
Is this what this plugins does or just puts username in the link?
I would appreciate if you could reply asap.#
Thank you !!!
@vanillawhisky Have you read this comment and tried the version @matt has uploaded?
@matt said:
I've made some changes to this plugin to get it to work more reliably.
Previously it would stop working if the textarea was edited, as mentioned by @Csabbencs
It now uses val() rather than html() to check or modify the textarea contents, and the animate() call has also been changed to work more reliably.
@R_J said: @vanillawhisky Have you read this comment and tried the version @matt has uploaded?
@matt said:
I've made some changes to this plugin to get it to work more reliably.
Previously it would stop working if the textarea was edited, as mentioned by @Csabbencs
It now uses val() rather than html() to check or modify the textarea contents, and the animate() call has also been changed to work more reliably.
But the modified plugin and the original EASYREPLY plugin both use
public function Setup() {
SaveToConfig('Garden.Html.SafeStyles',FALSE); // make forum susceptible to clickjacking and other malicious coding
}
public function OnDisable() {
RemoveFromConfig('Garden.Html.SafeStyles');
}
What, this means is if you enable the plugin from the dashboard you will be using be disabling the protection from the HTMLAWED plugin that prevents users from injecting styles into a discussion.
A malicious user could add some styles and make the discussion unusable. or you could be susceptible to clickjacking.
Its your choice if you want to use but it is best to rely on either a TRUE statement in config.php OR no statement at all with regards to $Configuration['Garden']['Html']['SafeStyles'] in config.php.
$Configuration['Garden']['Html']['SafeStyles'] = TRUE; // disallow style/class attributes in html to prevent click jacking
but BE AWARE -- PUBLIC SERVICE ANNOUNCEMENT. CLICKJACKING AND OTHER STYLE VULNERABILITIES
$Configuration['Garden']['Html']['SafeStyles'] = false; // will open you up to user mischief or clickjacking
If you want try a Demo what the potential deleterious impact of EasyReply plugin might be
1 enable the easyreply plugin
2 enter the following in a discussion on your forum
3 you will now see a large font that may obscure some of the page in the discussion where you cut and pasted the above code. This is a small token of what can occur by a user entry.
4 you will probably want to remove the entry. you can delete the discussion or edit it. But first before deleting the discussions you can
5 to prevent this from happening. go to your cofig.php and delete the line that says
$Configuration['Garden']['Html']['SafeStyles'] = false;
once $Configuration['Garden']['Html']['SafeStyles'] = false; is removed or is set to true in your config.php you will be in a safer position with regards to users posting to your forum.
the function of this plugin would be best changed so it does not invoke this function
public function Setup() {
SaveToConfig('Garden.Html.SafeStyles',FALSE); // make forum susceptible to clickjacking and other malicious coding
}
Every time you enable easyreply in the dashboard it will prevent Safestyles from working as it should to keep you and your forum safe.
At least you know now, and you can make an informed decision.
@River said:
Its your choice if you want to use but it is best to rely on either a TRUE statement in config.php OR no statement at all with regards to $Configuration['Garden']['Html']['SafeStyles'] in config.php.
$Configuration['Garden']['Html']['SafeStyles'] = TRUE; // disallow style/class attributes in html to prevent click jacking
but BE AWARE -- PUBLIC SERVICE ANNOUNCEMENT. CLICKJACKING AND OTHER STYLE VULNERABILITIES
$Configuration['Garden']['Html']['SafeStyles'] = false; // will open you up to user mischief or clickjacking
If you want try a Demo what the potential deleterious impact of EasyReply plugin might be
Thanks for your tips.
making $Configuration['Garden']['Html']['SafeStyles'] = false/true; doesnt get what I want.
However I found something strange in my forum.
during the page loading , this plugins (or say answer button) works. that means i get @username in textbox but as soon as page stops loading , this button works no more. I find this strange. I guess this is something to do with javascript.
Is there any plugins which I can use insteed of this EasyReply ? I also tried ReplyTo plugin but this creates failure.
@linc what about deleting this EASYREPLY plugin because of $Configuration['Garden']['Html']['SafeStyles'] issue.
and r_j will eventially have a working replacement.
many people will not know they are adding a potential UNSAFE invite for clickjacking secutiy issue to their forum if they use this plugin.
Pragmatism is all I have to offer. Avoiding the sidelines and providing centerline pro-tips.
Comments
Please dont link downloads to external sites, via masked short urls. Upload as revised plugin if need be or speak to @underdog
There was an error rendering this rich post.
It's not a masked URL, it's a link to a file hosted on the CloudApp service.
Here's a direct download version of the link: [removed]
Not sure if @andelf is still around? Can @underdog help?
@matt Great job on this, cleared up some issues I was having with it for sure.
@andelf should really assimilate your code, or you should spin it off.
Hello everyone,
I have a small problem with this extension.
In my case this extension does nothing. I mean I thought get
<a href="#username">answer</a>but when you click this link, the username should automatically copied in comment box area like@username.Is this what this plugins does or just puts username in the link?
I would appreciate if you could reply asap.#
Thank you !!!
@vanillawhisky Have you read this comment and tried the version @matt has uploaded?
But the modified plugin and the original EASYREPLY plugin both use
public function Setup() { SaveToConfig('Garden.Html.SafeStyles',FALSE); // make forum susceptible to clickjacking and other malicious coding } public function OnDisable() { RemoveFromConfig('Garden.Html.SafeStyles'); }What, this means is if you enable the plugin from the dashboard you will be using be disabling the protection from the HTMLAWED plugin that prevents users from injecting styles into a discussion.
A malicious user could add some styles and make the discussion unusable. or you could be susceptible to clickjacking.
Its your choice if you want to use but it is best to rely on either a TRUE statement in config.php OR no statement at all with regards to $Configuration['Garden']['Html']['SafeStyles'] in config.php.
$Configuration['Garden']['Html']['SafeStyles'] = TRUE; // disallow style/class attributes in html to prevent click jacking
but BE AWARE -- PUBLIC SERVICE ANNOUNCEMENT. CLICKJACKING AND OTHER STYLE VULNERABILITIES
$Configuration['Garden']['Html']['SafeStyles'] = false; // will open you up to user mischief or clickjacking
If you want try a Demo what the potential deleterious impact of EasyReply plugin might be
2 enter the following in a discussion on your forum
3 you will now see a large font that may obscure some of the page in the discussion where you cut and pasted the above code. This is a small token of what can occur by a user entry.
4 you will probably want to remove the entry. you can delete the discussion or edit it. But first before deleting the discussions you can
5 to prevent this from happening. go to your cofig.php and delete the line that says
$Configuration['Garden']['Html']['SafeStyles'] = false;
once $Configuration['Garden']['Html']['SafeStyles'] = false; is removed or is set to true in your config.php you will be in a safer position with regards to users posting to your forum.
the function of this plugin would be best changed so it does not invoke this function
public function Setup() { SaveToConfig('Garden.Html.SafeStyles',FALSE); // make forum susceptible to clickjacking and other malicious coding }Every time you enable easyreply in the dashboard it will prevent Safestyles from working as it should to keep you and your forum safe.
At least you know now, and you can make an informed decision.
from this discussion:
https://vanillaforums.org/discussion/comment/242196/#Comment_242196
vanillawhisky, If you try my demo instructions above it should be crystal clear via visual representation on your forum.
Pragmatism is all I have to offer. Avoiding the sidelines and providing centerline pro-tips.
Thanks for your tips.
making
$Configuration['Garden']['Html']['SafeStyles'] = false/true;doesnt get what I want.However I found something strange in my forum.
during the page loading , this plugins (or say answer button) works. that means i get @username in textbox but as soon as page stops loading , this button works no more. I find this strange. I guess this is something to do with javascript.
Is there any plugins which I can use insteed of this EasyReply ? I also tried ReplyTo plugin but this creates failure.
Try this one: https://vanillaforums.org/addon/reply-plugin
@linc what about deleting this EASYREPLY plugin because of $Configuration['Garden']['Html']['SafeStyles'] issue.
and r_j will eventially have a working replacement.
many people will not know they are adding a potential UNSAFE invite for clickjacking secutiy issue to their forum if they use this plugin.
Pragmatism is all I have to offer. Avoiding the sidelines and providing centerline pro-tips.
what is your goal? EasyReply and Replyto do two different things.
one appends the name with an @ to a comment, the other creates a threaded discussion tree and both appear very old plugins.
why don't you use the quote plugins?
without knowing what you are trying to achieve hard to make suggestions.
Is this what this plugins does or just puts username in the link?
I think it just puts user name in link.
why not use the quotes plugin that comes with the core?
Pragmatism is all I have to offer. Avoiding the sidelines and providing centerline pro-tips.
quotes plugins quotes all the comments which I dont need it. I just need @username. Now I am using @R_J 's plugins
After his second update, now its working fine.
Thank u @River und @R_J.
Addon removed. Also removing SafeStyles from core: https://github.com/vanilla/vanilla/pull/4231
THANK YOU!!!!!!
Pragmatism is all I have to offer. Avoiding the sidelines and providing centerline pro-tips.