Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

How can I place a script in a post?

I know that scripts can pose security issues but wondering if there is a way to allow admins to do it?

I have a gofundme campaign and I would like to post their embeddable widget into a topic.

Is there any way to do that?

Here is what I want to place in a topic:

<iframe class='gfm-media-widget' image='0' coinfo='0' width='100%' height='100%' frameborder='0' id='4fl7ayw'></iframe><script src='//funds.gofundme.com/js/5.0/media-widget.js'></script>

Comments

  • CaylusCaylus ✭✭
    edited September 2017

    So I would create discussion or a comment (doesn't matter what you type in there), and lookup the ID:

    https://open.vanillaforums.com/discussion/34044/how-can-i-place-a-script-in-a-post#latest
    ^^ ID = 34044

    https://open.vanillaforums.com/discussion/comment/249447/#Comment_249447
    ^^ ID = 249447

    Then image you would like to replace those two posts with your snippet, this would be the plugin function you'd need:

        public function DiscussionController_AfterCommentFormat_handler($Sender) {
            $Type = $Sender->EventArguments['Type'];
            if ($Type === 'Discussion') {
                if($Sender->EventArguments['Discussion']->DiscussionID === 34044){
                         $Sender->EventArguments['Discussion']->FormatBody="<iframe class='gfm-media-widget' image='0' coinfo='0' width='100%' height='100%' frameborder='0' id='4fl7ayw'></iframe><script src='//funds.gofundme.com/js/5.0/media-widget.js'></script>";
                }
            } else {
                if($Sender->EventArguments['Object']->CommentID ===249447){
                         $Sender->EventArguments['Object']->FormatBody="<iframe class='gfm-media-widget' image='0' coinfo='0' width='100%' height='100%' frameborder='0' id='4fl7ayw'></iframe><script src='//funds.gofundme.com/js/5.0/media-widget.js'></script>";
                }
            }
        }
    

    ^^ With this code you and you alone can control exactly where a script is inserted. And no other script can be inserted than the script you want.

    It's not the most pretty solution, but it's the safest I can think of.

  • Interesting. Ok this might take a bit more time than I had thought. I have to head out of town for the weekend. but will take a look at this when I can. Thank you for the reply.

  • To add to my answer: If you'd like to create a post like "Hey everyone check out this gofundme campaign [gofundmescript] Thanks a ton!" you can do that with this snippet:

    public function replaceScriptTagWithRealScript($Body)
    {
             $script="<iframe class='gfm-media-widget' image='0' coinfo='0' width='100%' height='100%' frameborder='0' id='4fl7ayw'></iframe><script src='//funds.gofundme.com/js/5.0/media-widget.js'></script>";
             $Body=str_replace('[gofundmescript]',$script,$Body);
             return $Body;
    }
    public function DiscussionController_AfterCommentFormat_handler($Sender) {
            $Type = $Sender->EventArguments['Type'];
            if ($Type === 'Discussion') {
                if($Sender->EventArguments['Discussion']->DiscussionID === 34044){
                         $Sender->EventArguments['Discussion']->FormatBody=replaceScriptTagWithRealScript($Sender->EventArguments['Discussion']->FormatBody);
                }
            }
            else {
                if($Sender->EventArguments['Object']->CommentID ===249447){
                         $Sender->EventArguments['Object']->FormatBody=replaceScriptTagWithRealScript($Sender->EventArguments['Object']);
                }
            }
        }
    

    I would still include the DiscussionID/CommentID check, to make sure other people can't create posts with just "[gofundmescript][gofundmescript][gofundmescript]" (x1000)

    And here's the link to the create your own plugin tutorial btw, I forgot to post it:
    http://docs.vanillaforums.com/developer/plugins/quickstart/

Sign In or Register to comment.