Please upgrade here. These earlier versions are no longer being updated and have security issues.

Feedback here! :)

This discussion is related to the EasyReply addon.
2»

Comments

  • 422422 Developer MVP

    Please dont link downloads to external sites, via masked short urls. Upload as revised plugin if need be or speak to @underdog

  • mattmatt ✭✭
    edited July 2016

    It's not a masked URL, it's a link to a file hosted on the CloudApp service.
    Here's a direct download version of the link: [removed]

    Not sure if @andelf is still around? Can @underdog help?

  • @matt Great job on this, cleared up some issues I was having with it for sure.

    @andelf should really assimilate your code, or you should spin it off.

  • Hello everyone,
    I have a small problem with this extension.
    In my case this extension does nothing. I mean I thought get <a href="#username">answer</a> but when you click this link, the username should automatically copied in comment box area like @username .
    Is this what this plugins does or just puts username in the link?

    I would appreciate if you could reply asap.#
    Thank you !!!

  • R_JR_J Cheerleader & Troubleshooter Munich Moderator

    @vanillawhisky Have you read this comment and tried the version @matt has uploaded?

    @matt said:
    I've made some changes to this plugin to get it to work more reliably.
    Previously it would stop working if the textarea was edited, as mentioned by @Csabbencs

    It now uses val() rather than html() to check or modify the textarea contents, and the animate() call has also been changed to work more reliably.

    Download: http://cl.ly/2t3S02191S3j35231b17


  • RiverRiver MVP
    edited July 2016

    @R_J said:
    @vanillawhisky Have you read this comment and tried the version @matt has uploaded?

    @matt said:
    I've made some changes to this plugin to get it to work more reliably.
    Previously it would stop working if the textarea was edited, as mentioned by @Csabbencs

    It now uses val() rather than html() to check or modify the textarea contents, and the animate() call has also been changed to work more reliably.

    Download: http://cl.ly/2t3S02191S3j35231b17

    But the modified plugin and the original EASYREPLY plugin both use

       public function Setup() {
          SaveToConfig('Garden.Html.SafeStyles',FALSE);    // make forum susceptible to clickjacking and other malicious coding
       }
    
       public function OnDisable() {
          RemoveFromConfig('Garden.Html.SafeStyles');
       }
    

    What, this means is if you enable the plugin from the dashboard you will be using be disabling the protection from the HTMLAWED plugin that prevents users from injecting styles into a discussion.

    A malicious user could add some styles and make the discussion unusable. or you could be susceptible to clickjacking.

    Its your choice if you want to use but it is best to rely on either a TRUE statement in config.php OR no statement at all with regards to $Configuration['Garden']['Html']['SafeStyles'] in config.php.

    $Configuration['Garden']['Html']['SafeStyles'] = TRUE; // disallow style/class attributes in html to prevent click jacking

    but BE AWARE -- PUBLIC SERVICE ANNOUNCEMENT. CLICKJACKING AND OTHER STYLE VULNERABILITIES

    $Configuration['Garden']['Html']['SafeStyles'] = false; // will open you up to user mischief or clickjacking

    If you want try a Demo what the potential deleterious impact of EasyReply plugin might be

    • 1 enable the easyreply plugin
    • 2 enter the following in a discussion on your forum

      <p style="color:red;font-size:500px; position: absolute;top: -5;left: 0;line-height: 90px;">Using Style Sheet Rules</p> 
      
    • 3 you will now see a large font that may obscure some of the page in the discussion where you cut and pasted the above code. This is a small token of what can occur by a user entry.

    • 4 you will probably want to remove the entry. you can delete the discussion or edit it. But first before deleting the discussions you can

    • 5 to prevent this from happening. go to your cofig.php and delete the line that says
      $Configuration['Garden']['Html']['SafeStyles'] = false;

    • once $Configuration['Garden']['Html']['SafeStyles'] = false; is removed or is set to true in your config.php you will be in a safer position with regards to users posting to your forum.

    the function of this plugin would be best changed so it does not invoke this function

       public function Setup() {
          SaveToConfig('Garden.Html.SafeStyles',FALSE);    // make forum susceptible to clickjacking and other malicious coding
       }
    

    Every time you enable easyreply in the dashboard it will prevent Safestyles from working as it should to keep you and your forum safe.

    At least you know now, and you can make an informed decision.

    from this discussion:

    https://vanillaforums.org/discussion/comment/242196/#Comment_242196

    @vanillawhisky said

    @River said:
    https://github.com/vanilla/vanilla/blob/7fcb213c7540d4c4fe04c3f6c0676f38df7e29e0/plugins/HtmLawed/class.htmlawed.plugin.php#L138

    as an aside you may not be aware that turning off safestyles may be a bit unsafe

    I didnt understand what you mean. Can you please make it a bit clear.

    vanillawhisky, If you try my demo instructions above it should be crystal clear via visual representation on your forum.

    Pragmatism is all I have to offer. Avoiding the sidelines and providing centerline pro-tips.

  • @River said:
    Its your choice if you want to use but it is best to rely on either a TRUE statement in config.php OR no statement at all with regards to $Configuration['Garden']['Html']['SafeStyles'] in config.php.

    $Configuration['Garden']['Html']['SafeStyles'] = TRUE; // disallow style/class attributes in html to prevent click jacking

    but BE AWARE -- PUBLIC SERVICE ANNOUNCEMENT. CLICKJACKING AND OTHER STYLE VULNERABILITIES

    $Configuration['Garden']['Html']['SafeStyles'] = false; // will open you up to user mischief or clickjacking

    If you want try a Demo what the potential deleterious impact of EasyReply plugin might be

    Thanks for your tips.
    making $Configuration['Garden']['Html']['SafeStyles'] = false/true; doesnt get what I want.
    However I found something strange in my forum.
    during the page loading , this plugins (or say answer button) works. that means i get @username in textbox but as soon as page stops loading , this button works no more. I find this strange. I guess this is something to do with javascript.
    Is there any plugins which I can use insteed of this EasyReply ? I also tried ReplyTo plugin but this creates failure.

  • R_JR_J Cheerleader & Troubleshooter Munich Moderator
  • RiverRiver MVP
    edited July 2016

    @linc what about deleting this EASYREPLY plugin because of $Configuration['Garden']['Html']['SafeStyles'] issue.
    and r_j will eventially have a working replacement.

    many people will not know they are adding a potential UNSAFE invite for clickjacking secutiy issue to their forum if they use this plugin.

    Pragmatism is all I have to offer. Avoiding the sidelines and providing centerline pro-tips.

  • RiverRiver MVP
    edited July 2016

    @vanillawhisky said:

    Is there any plugins which I can use insteed of this EasyReply ? I also tried ReplyTo plugin but this creates failure.

    what is your goal? EasyReply and Replyto do two different things.

    one appends the name with an @ to a comment, the other creates a threaded discussion tree and both appear very old plugins.

    why don't you use the quote plugins?

    without knowing what you are trying to achieve hard to make suggestions.

    vanillawhisky said:

    should automatically copied in comment box area like @username.

    Is this what this plugins does or just puts username in the link?

    I think it just puts user name in link.

    why not use the quotes plugin that comes with the core?

    Pragmatism is all I have to offer. Avoiding the sidelines and providing centerline pro-tips.

  • @River said:

    why don't you use the quote plugins?>
    why not use the quotes plugin that comes with the core?

    quotes plugins quotes all the comments which I dont need it. I just need @username. Now I am using @R_J 's plugins

    After his second update, now its working fine.

    Thank u @River und @R_J.

  • LincLinc Director of Development Detroit Vanilla Staff

    Addon removed. Also removing SafeStyles from core: https://github.com/vanilla/vanilla/pull/4231

    R_JRiverhgtonight
  • @Linc said:
    Addon removed. Also removing SafeStyles from core: https://github.com/vanilla/vanilla/pull/4231

    THANK YOU!!!!!!

    Pragmatism is all I have to offer. Avoiding the sidelines and providing centerline pro-tips.

Sign In or Register to comment.