View Full Version : 1.5RC1 stripping HTML from Comments?
04-26-2006, 08:38 AM
I see RC1 is stripping HTML links from comments now. That's a good thing for the damn spammers, but not so good for my huge audience that loves to include links in their comments every now and then.
I've looked around the admin for a way to turn this off, but I think I must be going blind as I can't see it, or perhaps it's just not there.
PP Team, is there a way to strip or not strip the HTML in the Admin?
Thanks for RC1 by the way, it's mighty fine.
04-26-2006, 08:57 AM
Try patching http://forum.pixelpost.org/showpost.php?p=23924&postcount=24
04-26-2006, 09:10 AM
I presume your patches actually also remove HTML links? Does it leave the URL in the comment? I'm trying to allow HTML links in comments as while problematic with spammers it's good for my commenters.
And also does your patches work with RC1 or just 1.5Beta?
04-26-2006, 09:22 AM
Ummm... I guess some cross checking will be needed to ensure that it works with RC1 but I remember that it does leave links in comments
if you just want the <a href="http://blah.com">my site</a> to remain in your comments then open the file inlcudes/functions.php search for line
$string = strip_tags($string);
and replace with $string = strip_tags($string,'<a>');
Let us know how it goes
04-26-2006, 09:28 AM
@se.nsuo.us: Thanks for your time in answering.
I've just commented out 2 lines in the function clean_coments. So now I have html capability back in my comments and means I don't risk anything.
As always, I appreciate your help
04-26-2006, 09:30 AM
You are welcome however I must inform by doing what you did you do risk a cross site scripting attack....
04-26-2006, 09:44 AM
Thanks for the warning. I figured that would be the case. I guess publishing it here will tempt fate, but for the moment I'm ok with that.
I'm not sure I'm good enough to check that your patch with work with the rest of my 1.5RC1 installation.
04-26-2006, 04:03 PM
you should be careful with HTML in comments
it is possible to limit HTML-commands by setting the allowed ones as additional parameters to strip_tags()
we decided to strip of HTML because of the many dangers
I know that is not so comfortable for the users
but especially links are very dangerous, because they can be used for code intrusion etc.
04-27-2006, 05:16 AM
Sen, I used your edit (message #4) and that is a fine comprimise. Thanks again
vBulletin® v3.7.3, Copyright ©2000-2013, Jelsoft Enterprises Ltd.