xoops forums

tzvook

Just can't stay away
Posted on: 2008/4/11 6:53
tzvook
tzvook (Show more)
Just can't stay away
Posts: 854
Since: 2003/2/1 2
#1

inTHEtube - Spice your web - version 9.0.1

I chose to start a thread in the forum , continuing this news post (much easy to folow and, posts can be edited and can be bumped when there is a new version)

inTHEtube is a tiny (zipped in less then 30kb zip file) - but very colorful module to your XOOPS site, letting you add YouTube search and/or custum-keywords videos to your site.
Search results from youTube are presented as thumbnails in your site and also the real-size videos are presented in your site (future version will let you choose if to embed the movies in your site or lead to the video @ YouTube.

inTHEtube is great for spicing up your sites, adding some colour and movement ...

Screenshot:
Resized Image

Module features:
1. you can choose as much keywords as you want, each keyword with the number of videos you want it to show is defined in the admin side and presented at the user side (scroll-down menu with the the keywords).
2. you can choose which keyword(s) will be the default and it's videos will be shown in the first module page.
3. you can choose it to show search box or not (at the admin)
4. you can choose if to show custum keywords or not (in the fron-end side).
5. you can call the module with a url - means other modules can wake the inTHEtube from withing .... (details below).
6. you can limit the results to your YouTube account only (see the code below, will be @ the admin in future versions).
7. thumbnails are pulling the "alt" and "title" of the movie from youtube.
8. Search is AJAX based with no reaload of your page.
9. When making a new search, a new results line is apearing without deleting your last search.
10. More to come ...

Demo and download in our site: Gifts45 -
Gifts & Shopping Directory


Compability:
xoops version 2.0.x , 2.2.x
(tested just with 2.2.4 , but should work with all versions)
Should also work with the "clones" (Cube + ?????Cms) , though wasn't tested.

Installation:
Upload to modules directory and install as usual...
Change the title of the block from gifts to whatever keyword you choose as your default keyword.
Set up other config options in the XOOPS Preferences for the module...

Interaction with other modules:
You can call inTHEtube from anywhere (or any other XOOPS module) with a url call (like:
http://www.mysite.com/modules/inthetu ... ber_of_videos_to_show>
so it's easy to add it to XOOPS search or cbb search or any other module (tags , article and so on ...)

Making the module working with your YouTube account:
To show only videos from your account :

open inthetube/templates/inthetube.html

look for:
<!-- Start your keywords results -->
<
h2>YouTube video search: <{$inthetubekeywords}></h2>
<
div id="youtubeDiv" style="display: block; clear: both">
</
div>
<
script>
insertVideos('youtubeDiv','search','<{$inthetubekeywords}>','<{$inthetubenum}>',1);
</
script>
<!-- 
End your keywords results -->


Replace with:
<!-- Start your keywords results -->
<
h2>YouTube video search: <{$inthetubekeywords}></h2>
<
div id="youtubeDivUser" style="display: block; clear: both">
</
div>
<
script>
insertVideos('youtubeDivUser','[b]--user--[/b]','<{$inthetubekeywords}>','<{$inthetubenum}>',1);
</
script>
<!-- 
End your keywords results -->


Just replace "--user--" with your YouTube username

Issues/bugs:
No known bugs (yet?) ... but there are some Ajax issues with some charsets, and the module won't send the keywords to Youtube as it should ...
Those are incompibilities with the charsets defined in your site and are not always connected to the content being sent by the module to youTube.
(means: you can use utf-8 instead of iso-8859-6 , iso-8859-8 or windows-1255)
For now I only know of arabic and hebrew that has the issue.

Comments are welcome - especially since the module is ajax and css based, and when dealing with a lot of client-side staff, there might always be browsers incompibilities ... (none reported yet).

while in our site ( http://www.gifts45.com ) feel free to add your site (gifts or shopping related) and promote it @ the forums ... for free ofcourse

Versions (changelog)

verion 0.9.0:
First realease.
The module code is still a bit masssy and should be cleaned.
Most of the language vars are hardcoded.
Still no blocks.
[b]Still - it's ready for production/[b], so it better serve the one that need a little spice for their site.

verion 0.9.1:
Added titles of the movies in thumbnails.
Language has been cleaned a bit.
Added instructions of how to limit results to your youtube account (readme file)
Added instructions of how to lead results to youtube instead of opening in your site (overlay) (readme file)

Enjoy
Tzvook

phppp

XOOPS Contributor
Posted on: 2008/4/11 7:25
phppp
phppp (Show more)
XOOPS Contributor
Posts: 2857
Since: 2004/1/25
#2

Re: inTHEtube - Spice your web - version 9.0.1

You might need to sanitize some of the inputs from user input, e.g. $_GET['keyword'], $_GET['num']

BTW: version number in title is wrongly typed.

tzvook

Just can't stay away
Posted on: 2008/4/11 8:56
tzvook
tzvook (Show more)
Just can't stay away
Posts: 854
Since: 2003/2/1 2
#3

Re: inTHEtube - Spice your web - version 9.0.1

10x DJ, you're right

Since I'm kinda new to it: is this right (it works and seems ok, I just wonder if it gets sanitized as it should) ??????/

Turning this:
if(!isset($_GET['keyword'])){
    
$result $xoopsDB->query"SELECT * FROM ".$xoopsDB->prefix("inthetube")." WHERE `default` = 'true' LIMIT 1" ) ;
    
$myrow $xoopsDB->fetchArray($result);
}else{
    
$result "spam";
    
$myrow['name'] = $_GET['keyword'];
    
$myrow['code'] = $_GET['num'];
}


To this:

if(!isset($_GET['keyword'])){
$myts =& MyTextSanitizer::getInstance();
$keyword $myts->stripSlashesGPC(trim($_GET['keyword']));
$num $myts->stripSlashesGPC(trim($_GET['num']));
    
$result $xoopsDB->query"SELECT * FROM ".$xoopsDB->prefix("inthetube")." WHERE `default` = 'true' LIMIT 1" ) ;
    
$myrow $xoopsDB->fetchArray($result);
}else{
    
$result "spam";
    
$myrow['name'] = $_GET['keyword'];
    
$myrow['code'] = $_GET['num'];
}


Since $_GET is being used, maybe "htmlspecialchars" is a good idea ?

Waiting for an answere to post 9.0.3 fixed and with a help file @ admin ...

WOW - those red "Why not take a break and come back in 30 sec" massages are bad for quick editing ppls

maxxy

Quite a regular
Posted on: 2008/4/11 13:22
maxxy
maxxy (Show more)
Quite a regular
Posts: 286
Since: 2007/6/11
#4

Re: inTHEtube - Spice your web - version 9.0.1

thanks...

keep up the good work

tzvook

Just can't stay away
Posted on: 2008/4/12 6:50
tzvook
tzvook (Show more)
Just can't stay away
Posts: 854
Since: 2003/2/1 2
#5

Re: inTHEtube - Spice your web - version 9.0.1

Bump
Someone ? ... does this code make sense with sanitizing ?

phppp

XOOPS Contributor
Posted on: 2008/4/12 7:56
phppp
phppp (Show more)
XOOPS Contributor
Posts: 2857
Since: 2004/1/25
#6

Re: inTHEtube - Spice your web - version 9.0.1

if(!isset($_GET['keyword'])){
$myts =& MyTextSanitizer::getInstance();
$keyword = $myts->stripSlashesGPC(trim($_GET['keyword']));
// The 'keyword' needs no filtering since it is used as a boolean if I understand correctly

$num = $myts->stripSlashesGPC(trim($_GET['num']));
$result = $xoopsDB->query( "SELECT * FROM ".$xoopsDB->prefix("inthetube")." WHERE `default` = 'true' LIMIT 1" ) ;
$myrow = $xoopsDB->fetchArray($result);
}else{
$result = "spam";
$myrow['name'] = $_GET['keyword'];
// 'name' should be sanitized since it will be sent back to client side directly, which could lead to XSS vulns
// Use htmlspecialchars function directly unless you have specific reason to use myts methods, or use data type specified sanitizer e.g. intval(), which will be encouraged in XOOPS 3
$myrow['code'] = $_GET['num'];
// the 'num' is also sent back to client side, thus should be sanitized
}

tzvook

Just can't stay away
Posted on: 2008/4/13 0:42
tzvook
tzvook (Show more)
Just can't stay away
Posts: 854
Since: 2003/2/1 2
#7

Re: inTHEtube - Spice your web - version 9.0.1

10x
version 0.9.2 is here

phppp

XOOPS Contributor
Posted on: 2008/4/13 14:06
phppp
phppp (Show more)
XOOPS Contributor
Posts: 2857
Since: 2004/1/25
#8

Re: inTHEtube - Spice your web - version 9.0.1

Some points -
All inputs from user side should be taken care of:
1 from _POST
2 from _GET
3 from _COOKIE

that will be delivered to:
1 database queries
2 client browsers

"Taken care of" means:
1 safe: not break db query or HTML syntax
2 secure: not lead to sql injection or XSS

I am going to write an article about Security Considerations in XOOPS Development. If anyone has relevant materials or willing to help, please let me know.

tzvook

Just can't stay away
Posted on: 2008/4/13 14:52
tzvook
tzvook (Show more)
Just can't stay away
Posts: 854
Since: 2003/2/1 2
#9

Re: inTHEtube - Spice your web - version 9.0.1

Quote:

phppp wrote:
Some points -
All inputs from user side should be taken care of:
1 from _POST
2 from _GET
3 from _COOKIE

that will be delivered to:
1 database queries
2 client browsers

"Taken care of" means:
1 safe: not break db query or HTML syntax
2 secure: not lead to sql injection or XSS


For sure "safe" is most important !!!
So .... is the changed code safe enough ?

if(isset($_GET['showkeywords'])){
    
$xoopsModuleConfig['customkeywords'] = $_GET['showkeywords'];
}

if(!isset(
$_GET['keyword'])){
$myts =& MyTextSanitizer::getInstance();
$keyword $myts->stripSlashesGPC(trim($_GET['keyword']));
$num $myts->stripSlashesGPC(trim($_GET['num']));

    
$result $xoopsDB->query"SELECT * FROM ".$xoopsDB->prefix("inthetube")." WHERE `default` = 'true' LIMIT 1" ) ;
    
$myrow $xoopsDB->fetchArray($result);
}else{
    
$myts =& MyTextSanitizer::getInstance();
    
$result "spam";

    
$tzsanitize $myts->htmlSpecialChars($myts->stripSlashesGPC($_GET['keyword']));

    
$myrow['name'] = $myts->htmlSpecialChars($tzsanitize);
    
$myrow['code'] = $myts->htmlSpecialChars($myts->stripSlashesGPC($_GET['num']));

}


Again - my first module, and I'm not so sure of myself with security here ... but the "$_GET" lets the module be called from other modules (or sites) easily ...
basically the call to youtube is a client side thing, but ...

Peekay

XOOPS is my life!
Posted on: 2008/4/13 15:06
Peekay
Peekay (Show more)
XOOPS is my life!
Posts: 2335
Since: 2004/11/20
#10

Re: inTHEtube - Spice your web - version 9.0.1

Quote:

phppp wrote:

I am going to write an article about Security Considerations in XOOPS Development...

That would be a *very* valuable article. A step-by-step on making user input safe would be fantastic, especially for those people who are developing for XOOPS for the first time.

On topic - inTHEtube looks really cool, especially the ability to restrict to a single YouTube account.
A thread is for life. Not just for Christmas.