Whitelist all the code inside of a div tag?


(Alex Rabolin) #1

Hello,

I like to know if it would be possible to whitelist all the code inside of a div tag, regardless of the code ? (in a forum post)

I guess not and must whitelist each tag in a plugin?

Sorry for my bad english and thank you in advance.


(Régis Hanol) #2

That could be dangerous. What exactly are you trying to achieve?


(Alex Rabolin) #3

I manages a kitesurfing site and I’d like to do a weather category.
With a webcam image and three windows of prevision wind like the pictures.

Here’s the code :

windfinder

    `  <script type="text/javascript" src="https://fr.windfinder.com/widget/forecast/js/lac_des_rousses?unit_wave=m&unit_rain=mm&unit_temperature=c&unit_wind=kts&columns=2&days=4&show_day=1&show_pressure=0&show_waves=0"></script><noscript><a href='https://www.windfinder.com/forecast/lac_des_rousses?utm_source=forecast&utm_medium=web&utm_campaign=homepageweather&utm_content=noscript-forecast'>Wind forecast for Lac des Rousses</a> provided by <a href='https://www.windfinder.com?utm_source=forecast&utm_medium=web&utm_campaign=homepageweather&utm_content=noscript-logo'>windfinder.com</a></noscript>`

meteoblue

      `<iframe src="https://www.meteoblue.com/fr/meteo/widget/daily/les-rousses_france_6455993?geoloc=fixed&days=7&tempunit=CELSIUS&windunit=KNOT&coloured=coloured&pictoicon=1&maxtemperature=1&windspeed=1&windgust=1&winddirection=1&precipitation=1&precipitationprobability=1&spot=1&layout=light"  frameborder="0" scrolling="NO" allowtransparency="true" sandbox="allow-same-origin allow-scripts allow-popups" style="width: 378px;height: 360px"></iframe>`

and windguru

          <script src="http://widget.windguru.cz/js/wg_widget.php" type="text/javascript"></script>
          <script language="JavaScript" type="text/javascript">
//<![CDATA[
WgWidget({
s: 218410, odh:8, doh:20, wj:'knots', tj:'c', waj:'m', fhours:72, lng:'fr',
params: ['WINDSPD','GUST','SMER','TMPE','CDC','APCPs'],
first_row:true,
spotname:true,
first_row_minfo:false,
last_row:false,
lat_lon:true,
tz:true,
sun:true,
link_archive:false,
link_new_window:true
},
'wg_target_div_218410_97924000'
);
//]]>
</script>
<div id="wg_target_div_218410_97924000"></div>

(Alex Rabolin) #4

maybe with a plugin like that :

.js

(function() {
Discourse.Markdown.whiteListTag('script', 'src', '*');
Discourse.Markdown.whiteListTag('iframe', 'src', '*');
})();

.js.es6

    import { registerOption } from 'pretty-text/pretty-text';

registerOption((siteSettings, opts) => {
  opts.features["..."] = true;
});

export function setup(helper) {
  helper.whiteList(['script[src]']);
  helper.whiteList(['iframe[src]']);
}

How can I whitelist a class in a theme?
(Mittineague) #5

If you do that I most certainly want to never visit your forum.

Allowing posts to have inserted JavaScript / iframe code is an extremely bad idea.

It opens up the possibility of all kinds of problems ranging from cookie theft to click-jacking to spreading malware and who knows what else.

If you want content from those three specific domains, please, allow only content from those three specific domains and not “*”


(Alex Rabolin) #6

Thanks a lot @Mittineague.
I agree entirely with you, it’s just that I’m a newbe and i do not know how allow only content from those three specific domains.

For the iframe of meteoblue, there possible whith this plugin i think (GitHub - scossar/whitelist-iframe: Discourse plugin to add urls to Discourse.Markdown._validIframes) but I’d rather get there without a plugin if possible or my own plugin.

For scripts i have searching but I did not find anything and I have no idea.
Maybe replace “*” with the URL ? I think not.

And i dont understand how to do that because the code of the third domain contains :

a balise <script> whith an URL (src)
and
a script-Java
and
a <div> tag

Like that :

                  <script src="http://widget.windguru.cz/js/wg_widget.php" type="text/javascript"></script>
          <script language="JavaScript" type="text/javascript"> 
//<![CDATA[
WgWidget({
s: 218410, odh:8, doh:20, wj:'knots', tj:'c', waj:'m', fhours:72, lng:'fr',
params: ['WINDSPD','GUST','SMER','TMPE','CDC','APCPs'],
first_row:true,
spotname:true,
first_row_minfo:false,
last_row:false,
lat_lon:true,
tz:true,
sun:true,
link_archive:false,
link_new_window:true
},
'wg_target_div_218410_97924000'
);
//]]>
</script>
<div id="wg_target_div_218410_97924000"></div>

If you can help me for my forum is not vulnerable and I can just use these three domains and her weather widgets on offer as iframe and java script.

in any case, already a big thank you for taking the time to help me :+1::+1::+1:


(Mittineague) #7

Try a separate whitelist line for each hard-coding as deep as you can that will still work and wildcarding only what you need to (the *). eg.

https://fr.windfinder.com/widget/forecast/js/*
https://www.meteoblue.com/fr/meteo/widget/daily/*
http://widget.windguru.cz/js/wg_widget.php

(Alex Rabolin) #8

If i understand, like that :

.js

(function() {
  Discourse.Markdown.whiteListTag('script', 'src', 'https://fr.windfinder.com/widget/forecast/js/*');
  Discourse.Markdown.whiteListTag('iframe', 'src', 'https://www.meteoblue.com/fr/meteo/widget/daily/*');
  Discourse.Markdown.whiteListTag('script', 'src', 'http://widget.windguru.cz/js/wg_widget.php');
  Discourse.Markdown.whiteListTag('div', 'id', '*');  
})();

(I doubt a security level, but I can not write : Discourse.Markdown.whiteListTag(‘div’, ‘id’, ‘wg_target_div_*’); ?
Or just that is suffisant : Discourse.Markdown.whiteListTag(‘textarea’);

For this script, i have no idea :

<script>
//<![CDATA[
WgWidget({
s: 218410, odh:8, doh:20, wj:'knots', tj:'c', waj:'m', fhours:72, lng:'fr',
params: ['WINDSPD','GUST','SMER','TMPE','CDC','APCPs'],
first_row:true,
spotname:true,
first_row_minfo:false,
last_row:false,
lat_lon:true,
tz:true,
sun:true,
link_archive:false,
link_new_window:true
},
'wg_target_div_218410_97924000'
);
//]]>
</script>

Or:

Discourse.Markdown.whiteListTag(‘script’, ‘//<![CDATA[*’);

For this file, no change i thinks :
.js.es6

import { registerOption } from 'pretty-text/pretty-text';

registerOption((siteSettings, opts) => {
  opts.features["..."] = true;
});

export function setup(helper) {
  helper.whiteList(['script[src]']);
  helper.whiteList(['iframe[src]']);
  helper.whiteList(['div[id]']);
}

sorry I can not test it because I do not have my computer I am at work, I only have a tablet.


(Mittineague) #9

Looking at it more closely, I think the windguru code is going to be a problem. I’m not sure how to go about it, or if it’s even possible.

You are allowed to show forecasts for up to 10 different spots per website (domain)

But I’m sure if it is possible that the solution would be complicated.

Why not try the first two - windfinder and meteobkue - first and see how you get on with those.

EDIT
It looks like the easier approach for windguru would be to link to the site using links generated from this page:

http://www.windguru.cz/int/link.php


(Alex Rabolin) #10

Thank you for your advice Precious, I’m content with thé two first Domains and if i need, I will add this one:

I pass this message SOLVED.
Thank you.