Thanks for the reply. It looks possible to modify htmlarea to disable 'code-mode' for certain users and/or to remove certain types of html elements from the htmlarea "menu".

On second thought, this is not where the *real* security happens though. The real security needs to happen on the backend. (Otherwise someone can just "forge" a form and submit to your XOOPS site a piece of text containing any tags he/she wishes). So the backend is where the tag restrictions etc. must happen.

It would be nice for the site visitors if the front-end (i.e. htmlarea) matched the acceptable set of tags though.

Seems like a reasonably big job though entirely possible. If XOOPS does eventually adopt something like this, the *first* step is securing the back end possibly allowing non-admins to enter a limited set of tags. The next step would be adding the HTML area.

Remember also, not everyone likes HTMLareas. I much prefer editing in text mode (or code mode), and would prefer to see a textarea even if an htmlarea was supported. I'm sure there are at least a few others who would agree. Perhaps that could be a user preference.

My suggestion would be only to give webmaster access to WYSIWYG editors. There is to much of a risk in giving 'users' this option.

But in saying that I have been asked many times to allows 'users' (submit) access to the WYSIWYG editor within WF and I have refused.

But if they where, limits could be impossed via $myts as it was in XOOPS version 1 with 'allowed HTML' (which personally I would like to see back again) and that way Admin could control what HTML tags would be passed and allowed.

Just my one pence worth!

Well, i decided to come back to you because i saw you have a lot of questions about security and risks for htmlarea.

Follow my thoughts... You just need a decent editor for your site visitors and your editors. You can't expect your site visitors and even your editors to be able to write html - this is where every nuke like portal fails and it ends up to be webmaster-centric. I decided to go with XOOPS and it's been months now since the release of XOOPS 2.0.3 I'm still trying to find free time and complete the integration of htmlarea.

Security risks? Not at all. I just want to replace the (difficult to use by novices) bbcode editor. So, i only enabled bold, italics, underlines, left-center-right aligns and two or three more things. It's even more secure because noone can write even a single html command. The editor is responsible to convert the text to html. THAT simple...

Soon i will be ready to give you a preview of the htmlareea integration. Believe me... It's so beautiful and works so nice that all developers will start thinking the integration of an advanced editor inside the core. I really hope so because i already know that it is already impossible to upgrade my XOOPS engine to a newer version. The changes are so many that it's almost impossible...

Just to reiterate... it doesn't matter how limiting you are with your editing controls (e.g. stripping out most of buttons on htmlarea or whatever), there is always a risk. You cannot assume that someone with use *your* form to enter their post. An attacker can easily figure out how to make a local copy of that form, remove all the restrictions and send *arbitrary* HTML to your server.

i.e. the HTML area has all kinds of controls to set a field "content" which gets sent to the server when the form is POSTed. If using the HTMLarea then the things that go into that "content" field are controlled. If an attacker finds another way to set that "content" field (actually quite easy), then any security that the HTMLarea offers has been circumvented.

The security needs to be handled on the backend, and that is currently what is lacking XOOPS 2. Right now you can either 'enable HTML' or 'disable HTML'. The only way the htmlArea would be useful is if you 'enable HTML' for all posts. But because the backend does *NO* real tag checking, this will allow an attacker to upload arbitrary HTML to your server.

Anyways, not trying to say it is not worthwhile. I'm not sure it is 'necessary' to support this, but it does seem that more and more people want it. I'm just trying to point out the security issues are not as simple as many people think.

Just a thought here.. if HTMLaerea isn't stable and/or secure enough, is there a way to make bbcode more n00b friendly? perhaps add (admin pre-defined) styles for header, intro, links, images, etc?

The people using and maintaining the websites I made with XOOPS aren't tech wizzards at all. They're no communications experts either. Giving them the full range of HTML layout (like font, color, size etc.), they will ruin our coporate look (which was very expensive to create, and more expensive to maintain!).

So, wmy not bring together the best of both editors and create a secure, extended, configurable, n00b friendly text editor for xoops.

Herko

Quote:
Other than the needed extra data "cleaning" that is needed to allow HTML code in posts, this has always been my other reason to *not* want an html editor. For a community board maybe it is nice to allow people to change font color/face/size (??), but I don't think the result looks that great... and on a corporate support forum it will look extremely unprofessional. That leaves only 'bold', 'italic', 'heading', 'img'?, 'link', etc... The BB code already covers most of this in a very simple manner. There is also the 'color' code which is good as an alternative way to emphasize text, but it could in theory be abused. IMHO, the 'size' code should be dropped in place of a 'heading' code (possibly 2-3 levels worth of different styles).

Just to put a general question out there... what are the main difficulties with the BB code editor right now? IMHO, it doesn't seem any more difficult than HTMLarea to use. I usually just end up typing in the codes by hand, but I come form a programming background so this makes sense to me. Also I find typing the codes much faster. But what do others think? What is lacking and what makes htmlArea such a *great* alternative?

To make the editor 'configurable' (e.g. make certain tags/codes allowed or not) will bring up the same security issues as have been discussed with the htmlarea. The security threat here though is only the 'look' of the site, wheras with html could be far worse.

Quote:

Depends on the htmlarea buttons you'll "give" them...

Quote:

As developers we usualy can't look inside the users head, we think different, I used to end up giving too much options to the users, which made them not using any of them in the end.

So I started folowing my users (not just Xoops, but a lot of systems We made), and I'm talking about thousands of users: munivipalities, big companies and so... and I found out the abious answere - the most important thing for a user, almost all skills levels is the INTUITIVITY - they'll use something they are used to it (WYSIWYG looks like their WORD editor, and that's it ... they need the confidance of the friendly interface).

Xoops users might not need it so much, but the editors/moderators which are content ppls and not tech ppls, needs it badly, and when I gave them the option, they used WYSIWYG about 400% more then with the original BBCODE....I had to take off the wysiwyg hack for XOOPS 1.3.x, due to a very buggy hack, but I was very sorry about it.

So in the end we stayed with this answere:
users will use WYSIWYG much more then the BBcode, will feel much better with it, we simply need to think "how to" , "who to give the HTMLAREA options to" and "how much (options) to" to give, and be aware that every CMS will use it soon, due to the reason we all know - everything runs forward, not backwards !!!

Quote:

The answere is in the question - ppl's like to give their feelings, not just their content, and they do it with bold, colorfull fonts, they need the "redo - undo" of the WYSIWYG, the "copy - paste" is good for the comon user that don't know the CTRL+C and CTRL+V, the "find and replace for big articles, tables ability, special characters ability, "align right ... align left" , and, well, do I need to go on with this...

Quote:

That's the point: it's almost the same security issues as the BBcode, that's the reasons it needs to be done by the XOOPS developers, and not as a CORE hack - it needs a lot of thinking and planing, but a good integration of it to the core (even just for the editors/moderators) will bring XOOPS one level up as a leading CMS (though to my opinion it's in the top right now !!!)

WOW - this was long !!!!!!!!!!!!!!!
The XOOPS community done it again - I just come to see what's new and I ends up with killing a half work day, but well .. using XOOPS and seeing how much ppl's help to each others worth the effort !!!

is that another vote for htmlarea?

Yep Nautis
It sure is !!!!

I said everything above, but I sure hope the next XOOPS version will include wysiwyg as an options for selected groups (That way Security hazard will be reduced)

I have succesfully applied htmlarea as a replacement to the original bbcode editor for our XOOPS Community. You can check it HERE

It works like a charm and i don't think there are any security issues because all special tags are removed on pasting and there is noaccess for the user to directly type html. What do you think?