I cannot post javascript code in discussion

ThomasHoi

Hi all,

I'm using Vanilla version 2.0.18.8, activated "allow raw format" plugin. I posted a javascript code that should show a form but it didn't even though the preview mode shows the form.

However, the form does work in the comments.

This is the page I'm talking about -> http://interiordesignsingapore.com/forums/discussion/346/hdb-3-room-blk-729-clementi-west

Anyone here can show me how to make the form show up in the discussion post?

Thanks.

vrijvlinder

See in your config.php if you have < script > as allowed element

$Configuration['Garden']['Html']['AllowedElements']  = "a, abbr, acronym, address, area, audio, b, bdi, bdo, big, blockquote, br, caption, center, cite, code, col, colgroup, dd, del, details, dfn, div, dl, dt, em, figure, figcaption, font, h1, h2, h3, h4, h5, h6, hgroup, hr, i, img, ins, kbd, li, map, mark, menu, meter, ol, p, pre, q, s, samp, small, span, strike, strong, sub, sup, summary, table, tbody, td, tfoot, th, thead, time, tr, tt, u, ul, var, video, wbr";

Also to prevent or allow certain file extensions from upload

$Configuration['Garden']['Upload']['AllowedFileExtensions']= array('txt','jpg','jpeg','gif','png', 'bmp', 'tiff', 'ico', 'zip','gz','tar.gz','tgz','psd','ai','fla','swf','pdf','doc','xls','ppt','docx','xlsx','log','rar','7z');

x00

@vrijvlinder said:
See in your config.php if you have < script > as allowed element

$Configuration['Garden']['Html']['AllowedElements'] 

No it should be already be filtered out by HtmlLawed and those controls are for experts only, if he is using raw formating there is no filter at all anyway. it should only be done by trusted parties if at all necessary.

@ThomasHoi you are approaching the problem the wrong way. You shouldn't individually be posting a form for each designer your serve, it is not sustainable, scalable or sensible. You need code that would work regardless of what designer. The majority of code these days is dynamic, you need the skills to develop it or pay someone to do it properly.

It need to be an appropriate interface, a form in post isn't really an appropriate interface and even if it was, doing it piecemeal and directly with JavaScript is asking for trouble.

vrijvlinder

Great design ! May I ask why you are not using the most recent Vanilla version 2.1 Stable?
I see the form using a Mac and Safari browser

ThomasHoi

@vrijvlinder said:
Great design ! May I ask why you are not using the most recent Vanilla version 2.1 Stable?
I see the form using a Mac and Safari browser

I'm still testing the plugins and will be upgrading soon. Do you think 2.1 stable will allow javascript code in the discussion post?

Thanks.

peregrine

If you want to make your forum prone to xss and allow users to post js in the body of a post to take control of your site, you can do that in 2.1 as well. not sure if I would recommend it though.

vrijvlinder

You should actually put the code inside a message box or a module so it shows in every page and you don't risk opening your site to exploits

In the dashboard go to messages and select new message a form opens put code in there select panel or content and save

Unless various people have a form for each design ? In that case I would add the forms per category, each designer is a category that way you can discriminate who has what form.

Allowing js from people in the comments is risky. They can hijack the form.Insert malicious scripts without knowing.

peregrine

you could use discussionpolls as a guide to implementing your form within posts, it is far safer, than to allow users to post js in the body of a comment.

ThomasHoi

Thanks for all the suggestions. The problem is I need to have a different form for different designer. Currently, I have 10 designers and they will each have their own form to collect leads.

I'm thinking of using pockets for the javascript code and then use conditions to show the pockets.

For example, if the discussion is started by "9 Degree", then show the pocket (form for 9 degree) in the discussion.

Do you think this is possible?

ThomasHoi

By the way, how do i disable javascript code in comments?

vrijvlinder

See in your config.php if you have < script > as allowed element

$Configuration['Garden']['Html']['AllowedElements']  = "a, abbr, acronym, address, area, audio, b, bdi, bdo, big, blockquote, br, caption, center, cite, code, col, colgroup, dd, del, details, dfn, div, dl, dt, em, figure, figcaption, font, h1, h2, h3, h4, h5, h6, hgroup, hr, i, img, ins, kbd, li, map, mark, menu, meter, ol, p, pre, q, s, samp, small, span, strike, strong, sub, sup, summary, table, tbody, td, tfoot, th, thead, time, tr, tt, u, ul, var, video, wbr";

Also to prevent or allow certain file extensions from upload

$Configuration['Garden']['Upload']['AllowedFileExtensions']= array('txt','jpg','jpeg','gif','png', 'bmp', 'tiff', 'ico', 'zip','gz','tar.gz','tgz','psd','ai','fla','swf','pdf','doc','xls','ppt','docx','xlsx','log','rar','7z');

x00

@vrijvlinder said:
See in your config.php if you have < script > as allowed element

$Configuration['Garden']['Html']['AllowedElements'] 

No it should be already be filtered out by HtmlLawed and those controls are for experts only, if he is using raw formating there is no filter at all anyway. it should only be done by trusted parties if at all necessary.

@ThomasHoi you are approaching the problem the wrong way. You shouldn't individually be posting a form for each designer your serve, it is not sustainable, scalable or sensible. You need code that would work regardless of what designer. The majority of code these days is dynamic, you need the skills to develop it or pay someone to do it properly.

It need to be an appropriate interface, a form in post isn't really an appropriate interface and even if it was, doing it piecemeal and directly with JavaScript is asking for trouble.