1
tzvook
inTHEtube - Spice your web - version 9.0.1
  • 2008/4/11 6:53

  • tzvook

  • Just can't stay away

  • Posts: 875

  • Since: 2003/2/1 2


I chose to start a thread in the forum , continuing this news post (much easy to folow and, posts can be edited and can be bumped when there is a new version)

inTHEtube is a tiny (zipped in less then 30kb zip file) - but very colorful module to your XOOPS site, letting you add YouTube search and/or custum-keywords videos to your site.
Search results from youTube are presented as thumbnails in your site and also the real-size videos are presented in your site (future version will let you choose if to embed the movies in your site or lead to the video @ YouTube.

inTHEtube is great for spicing up your sites, adding some colour and movement ...

Screenshot:
Resized Image

Module features:
1. you can choose as much keywords as you want, each keyword with the number of videos you want it to show is defined in the admin side and presented at the user side (scroll-down menu with the the keywords).
2. you can choose which keyword(s) will be the default and it's videos will be shown in the first module page.
3. you can choose it to show search box or not (at the admin)
4. you can choose if to show custum keywords or not (in the fron-end side).
5. you can call the module with a url - means other modules can wake the inTHEtube from withing .... (details below).
6. you can limit the results to your YouTube account only (see the code below, will be @ the admin in future versions).
7. thumbnails are pulling the "alt" and "title" of the movie from youtube.
8. Search is AJAX based with no reaload of your page.
9. When making a new search, a new results line is apearing without deleting your last search.
10. More to come ...

Demo and download in our site: Gifts45 -
Gifts & Shopping Directory


Compability:
xoops version 2.0.x , 2.2.x
(tested just with 2.2.4 , but should work with all versions)
Should also work with the "clones" (Cube + ?????Cms) , though wasn't tested.

Installation:
Upload to modules directory and install as usual...
Change the title of the block from gifts to whatever keyword you choose as your default keyword.
Set up other config options in the XOOPS Preferences for the module...

Interaction with other modules:
You can call inTHEtube from anywhere (or any other XOOPS module) with a url call (like:
http://www.mysite.com/modules/inthetu ... ber_of_videos_to_show>
so it's easy to add it to XOOPS search or cbb search or any other module (tags , article and so on ...)

Making the module working with your YouTube account:
To show only videos from your account :

open inthetube/templates/inthetube.html

look for:
<!-- Start your keywords results -->
<
h2>YouTube video search: <{$inthetubekeywords}></h2>
<
div id="youtubeDiv" style="display: block; clear: both">
</
div>
<
script>
insertVideos('youtubeDiv','search','<{$inthetubekeywords}>','<{$inthetubenum}>',1);
</
script>
<!-- 
End your keywords results -->


Replace with:
<!-- Start your keywords results -->
<
h2>YouTube video search: <{$inthetubekeywords}></h2>
<
div id="youtubeDivUser" style="display: block; clear: both">
</
div>
<
script>
insertVideos('youtubeDivUser','[b]--user--[/b]','<{$inthetubekeywords}>','<{$inthetubenum}>',1);
</
script>
<!-- 
End your keywords results -->


Just replace "--user--" with your YouTube username

Issues/bugs:
No known bugs (yet?) ... but there are some Ajax issues with some charsets, and the module won't send the keywords to Youtube as it should ...
Those are incompibilities with the charsets defined in your site and are not always connected to the content being sent by the module to youTube.
(means: you can use utf-8 instead of iso-8859-6 , iso-8859-8 or windows-1255)
For now I only know of arabic and hebrew that has the issue.

Comments are welcome - especially since the module is ajax and css based, and when dealing with a lot of client-side staff, there might always be browsers incompibilities ... (none reported yet).

while in our site ( http://www.gifts45.com ) feel free to add your site (gifts or shopping related) and promote it @ the forums ... for free ofcourse

Versions (changelog)

verion 0.9.0:
First realease.
The module code is still a bit masssy and should be cleaned.
Most of the language vars are hardcoded.
Still no blocks.
[b]Still - it's ready for production/[b], so it better serve the one that need a little spice for their site.

verion 0.9.1:
Added titles of the movies in thumbnails.
Language has been cleaned a bit.
Added instructions of how to limit results to your youtube account (readme file)
Added instructions of how to lead results to youtube instead of opening in your site (overlay) (readme file)

Enjoy
Tzvook

2
phppp
Re: inTHEtube - Spice your web - version 9.0.1
  • 2008/4/11 7:25

  • phppp

  • XOOPS Contributor

  • Posts: 2857

  • Since: 2004/1/25


You might need to sanitize some of the inputs from user input, e.g. $_GET['keyword'], $_GET['num']

BTW: version number in title is wrongly typed.

3
tzvook
Re: inTHEtube - Spice your web - version 9.0.1
  • 2008/4/11 8:56

  • tzvook

  • Just can't stay away

  • Posts: 875

  • Since: 2003/2/1 2


10x DJ, you're right

Since I'm kinda new to it: is this right (it works and seems ok, I just wonder if it gets sanitized as it should) ??????/

Turning this:
if(!isset($_GET['keyword'])){
    
$result $xoopsDB->query"SELECT * FROM ".$xoopsDB->prefix("inthetube")." WHERE `default` = 'true' LIMIT 1" ) ;
    
$myrow $xoopsDB->fetchArray($result);
}else{
    
$result "spam";
    
$myrow['name'] = $_GET['keyword'];
    
$myrow['code'] = $_GET['num'];
}


To this:

if(!isset($_GET['keyword'])){
$myts =& MyTextSanitizer::getInstance();
$keyword $myts->stripSlashesGPC(trim($_GET['keyword']));
$num $myts->stripSlashesGPC(trim($_GET['num']));
    
$result $xoopsDB->query"SELECT * FROM ".$xoopsDB->prefix("inthetube")." WHERE `default` = 'true' LIMIT 1" ) ;
    
$myrow $xoopsDB->fetchArray($result);
}else{
    
$result "spam";
    
$myrow['name'] = $_GET['keyword'];
    
$myrow['code'] = $_GET['num'];
}


Since $_GET is being used, maybe "htmlspecialchars" is a good idea ?

Waiting for an answere to post 9.0.3 fixed and with a help file @ admin ...

WOW - those red "Why not take a break and come back in 30 sec" massages are bad for quick editing ppls

4
maxxy
Re: inTHEtube - Spice your web - version 9.0.1
  • 2008/4/11 13:22

  • maxxy

  • Quite a regular

  • Posts: 286

  • Since: 2007/6/11


thanks...

keep up the good work

5
tzvook
Re: inTHEtube - Spice your web - version 9.0.1
  • 2008/4/12 6:50

  • tzvook

  • Just can't stay away

  • Posts: 875

  • Since: 2003/2/1 2


Bump
Someone ? ... does this code make sense with sanitizing ?

6
phppp
Re: inTHEtube - Spice your web - version 9.0.1
  • 2008/4/12 7:56

  • phppp

  • XOOPS Contributor

  • Posts: 2857

  • Since: 2004/1/25


if(!isset($_GET['keyword'])){
$myts =& MyTextSanitizer::getInstance();
$keyword = $myts->stripSlashesGPC(trim($_GET['keyword']));
// The 'keyword' needs no filtering since it is used as a boolean if I understand correctly

$num = $myts->stripSlashesGPC(trim($_GET['num']));
$result = $xoopsDB->query( "SELECT * FROM ".$xoopsDB->prefix("inthetube")." WHERE `default` = 'true' LIMIT 1" ) ;
$myrow = $xoopsDB->fetchArray($result);
}else{
$result = "spam";
$myrow['name'] = $_GET['keyword'];
// 'name' should be sanitized since it will be sent back to client side directly, which could lead to XSS vulns
// Use htmlspecialchars function directly unless you have specific reason to use myts methods, or use data type specified sanitizer e.g. intval(), which will be encouraged in XOOPS 3
$myrow['code'] = $_GET['num'];
// the 'num' is also sent back to client side, thus should be sanitized
}

7
tzvook
Re: inTHEtube - Spice your web - version 9.0.1
  • 2008/4/13 0:42

  • tzvook

  • Just can't stay away

  • Posts: 875

  • Since: 2003/2/1 2


10x
version 0.9.2 is here

8
phppp
Re: inTHEtube - Spice your web - version 9.0.1
  • 2008/4/13 14:06

  • phppp

  • XOOPS Contributor

  • Posts: 2857

  • Since: 2004/1/25


Some points -
All inputs from user side should be taken care of:
1 from _POST
2 from _GET
3 from _COOKIE

that will be delivered to:
1 database queries
2 client browsers

"Taken care of" means:
1 safe: not break db query or HTML syntax
2 secure: not lead to sql injection or XSS

I am going to write an article about Security Considerations in XOOPS Development. If anyone has relevant materials or willing to help, please let me know.

9
tzvook
Re: inTHEtube - Spice your web - version 9.0.1
  • 2008/4/13 14:52

  • tzvook

  • Just can't stay away

  • Posts: 875

  • Since: 2003/2/1 2


Quote:

phppp wrote:
Some points -
All inputs from user side should be taken care of:
1 from _POST
2 from _GET
3 from _COOKIE

that will be delivered to:
1 database queries
2 client browsers

"Taken care of" means:
1 safe: not break db query or HTML syntax
2 secure: not lead to sql injection or XSS


For sure "safe" is most important !!!
So .... is the changed code safe enough ?

if(isset($_GET['showkeywords'])){
    
$xoopsModuleConfig['customkeywords'] = $_GET['showkeywords'];
}

if(!isset(
$_GET['keyword'])){
$myts =& MyTextSanitizer::getInstance();
$keyword $myts->stripSlashesGPC(trim($_GET['keyword']));
$num $myts->stripSlashesGPC(trim($_GET['num']));

    
$result $xoopsDB->query"SELECT * FROM ".$xoopsDB->prefix("inthetube")." WHERE `default` = 'true' LIMIT 1" ) ;
    
$myrow $xoopsDB->fetchArray($result);
}else{
    
$myts =& MyTextSanitizer::getInstance();
    
$result "spam";

    
$tzsanitize $myts->htmlSpecialChars($myts->stripSlashesGPC($_GET['keyword']));

    
$myrow['name'] = $myts->htmlSpecialChars($tzsanitize);
    
$myrow['code'] = $myts->htmlSpecialChars($myts->stripSlashesGPC($_GET['num']));

}


Again - my first module, and I'm not so sure of myself with security here ... but the "$_GET" lets the module be called from other modules (or sites) easily ...
basically the call to youtube is a client side thing, but ...

10
Peekay
Re: inTHEtube - Spice your web - version 9.0.1
  • 2008/4/13 15:06

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


Quote:

phppp wrote:

I am going to write an article about Security Considerations in XOOPS Development...

That would be a *very* valuable article. A step-by-step on making user input safe would be fantastic, especially for those people who are developing for XOOPS for the first time.

On topic - inTHEtube looks really cool, especially the ability to restrict to a single YouTube account.
A thread is for life. Not just for Christmas.

Login

Who's Online

61 user(s) are online (35 user(s) are browsing Support Forums)


Members: 0


Guests: 61


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Jul 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits