Whitelist all the code inside of a div tag?

Alex_Rabolin · October 11, 2016, 9:23am

Hello,

I like to know if it would be possible to whitelist all the code inside of a div tag, regardless of the code ? (in a forum post)

I guess not and must whitelist each tag in a plugin?

Sorry for my bad english and thank you in advance.

zogstrip · October 11, 2016, 9:24am

That could be dangerous. What exactly are you trying to achieve?

Alex_Rabolin · October 11, 2016, 10:05am

I manages a kitesurfing site and I’d like to do a weather category.
With a webcam image and three windows of prevision wind like the pictures.

Here’s the code :

windfinder

    `  <script type="text/javascript" src="https://fr.windfinder.com/widget/forecast/js/lac_des_rousses?unit_wave=m&unit_rain=mm&unit_temperature=c&unit_wind=kts&columns=2&days=4&show_day=1&show_pressure=0&show_waves=0"></script><noscript><a href='https://www.windfinder.com/forecast/lac_des_rousses?utm_source=forecast&utm_medium=web&utm_campaign=homepageweather&utm_content=noscript-forecast'>Wind forecast for Lac des Rousses</a> provided by <a href='https://www.windfinder.com?utm_source=forecast&utm_medium=web&utm_campaign=homepageweather&utm_content=noscript-logo'>windfinder.com</a></noscript>`

meteoblue

      `<iframe src="https://www.meteoblue.com/fr/meteo/widget/daily/les-rousses_france_6455993?geoloc=fixed&days=7&tempunit=CELSIUS&windunit=KNOT&coloured=coloured&pictoicon=1&maxtemperature=1&windspeed=1&windgust=1&winddirection=1&precipitation=1&precipitationprobability=1&spot=1&layout=light"  frameborder="0" scrolling="NO" allowtransparency="true" sandbox="allow-same-origin allow-scripts allow-popups" style="width: 378px;height: 360px"></iframe>`

and windguru

          <script src="http://widget.windguru.cz/js/wg_widget.php" type="text/javascript"></script>
          <script language="JavaScript" type="text/javascript">
//<![CDATA[
WgWidget({
s: 218410, odh:8, doh:20, wj:'knots', tj:'c', waj:'m', fhours:72, lng:'fr',
params: ['WINDSPD','GUST','SMER','TMPE','CDC','APCPs'],
first_row:true,
spotname:true,
first_row_minfo:false,
last_row:false,
lat_lon:true,
tz:true,
sun:true,
link_archive:false,
link_new_window:true
},
'wg_target_div_218410_97924000'
);
//]]>
</script>
<div id="wg_target_div_218410_97924000"></div>

Alex_Rabolin · October 11, 2016, 11:27am

maybe with a plugin like that :

.js

(function() {
Discourse.Markdown.whiteListTag('script', 'src', '*');
Discourse.Markdown.whiteListTag('iframe', 'src', '*');
})();

.js.es6

    import { registerOption } from 'pretty-text/pretty-text';

registerOption((siteSettings, opts) => {
  opts.features["..."] = true;
});

export function setup(helper) {
  helper.whiteList(['script[src]']);
  helper.whiteList(['iframe[src]']);
}

Mittineague · October 11, 2016, 5:03pm

If you do that I most certainly want to never visit your forum.

Allowing posts to have inserted JavaScript / iframe code is an extremely bad idea.

It opens up the possibility of all kinds of problems ranging from cookie theft to click-jacking to spreading malware and who knows what else.

If you want content from those three specific domains, please, allow only content from those three specific domains and not “*”

Alex_Rabolin · October 11, 2016, 10:45pm

Thanks a lot @Mittineague.
I agree entirely with you, it’s just that I’m a newbe and i do not know how allow only content from those three specific domains.

For the iframe of meteoblue, there possible whith this plugin i think (https://github.com/scossar/whitelist-iframe) but I’d rather get there without a plugin if possible or my own plugin.

For scripts i have searching but I did not find anything and I have no idea.
Maybe replace “*” with the URL ? I think not.

And i dont understand how to do that because the code of the third domain contains :

a balise <script> whith an URL (src)
and
a script-Java
and
a <div> tag

Like that :

                  <script src="http://widget.windguru.cz/js/wg_widget.php" type="text/javascript"></script>
          <script language="JavaScript" type="text/javascript"> 
//<![CDATA[
WgWidget({
s: 218410, odh:8, doh:20, wj:'knots', tj:'c', waj:'m', fhours:72, lng:'fr',
params: ['WINDSPD','GUST','SMER','TMPE','CDC','APCPs'],
first_row:true,
spotname:true,
first_row_minfo:false,
last_row:false,
lat_lon:true,
tz:true,
sun:true,
link_archive:false,
link_new_window:true
},
'wg_target_div_218410_97924000'
);
//]]>
</script>
<div id="wg_target_div_218410_97924000"></div>

If you can help me for my forum is not vulnerable and I can just use these three domains and her weather widgets on offer as iframe and java script.

in any case, already a big thank you for taking the time to help me

Mittineague · October 11, 2016, 10:57pm

Try a separate whitelist line for each hard-coding as deep as you can that will still work and wildcarding only what you need to (the *). eg.

https://fr.windfinder.com/widget/forecast/js/*
https://www.meteoblue.com/fr/meteo/widget/daily/*
http://widget.windguru.cz/js/wg_widget.php

Alex_Rabolin · October 12, 2016, 12:01am

If i understand, like that :

.js

(function() {
  Discourse.Markdown.whiteListTag('script', 'src', 'https://fr.windfinder.com/widget/forecast/js/*');
  Discourse.Markdown.whiteListTag('iframe', 'src', 'https://www.meteoblue.com/fr/meteo/widget/daily/*');
  Discourse.Markdown.whiteListTag('script', 'src', 'http://widget.windguru.cz/js/wg_widget.php');
  Discourse.Markdown.whiteListTag('div', 'id', '*');  
})();

(I doubt a security level, but I can not write : Discourse.Markdown.whiteListTag(‘div’, ‘id’, ‘wg_target_div_*’); ?
Or just that is suffisant : Discourse.Markdown.whiteListTag(‘textarea’);

For this script, i have no idea :

<script>
//<![CDATA[
WgWidget({
s: 218410, odh:8, doh:20, wj:'knots', tj:'c', waj:'m', fhours:72, lng:'fr',
params: ['WINDSPD','GUST','SMER','TMPE','CDC','APCPs'],
first_row:true,
spotname:true,
first_row_minfo:false,
last_row:false,
lat_lon:true,
tz:true,
sun:true,
link_archive:false,
link_new_window:true
},
'wg_target_div_218410_97924000'
);
//]]>
</script>

Or:

Discourse.Markdown.whiteListTag(‘script’, ‘//<![CDATA[*’);

For this file, no change i thinks :
.js.es6

import { registerOption } from 'pretty-text/pretty-text';

registerOption((siteSettings, opts) => {
  opts.features["..."] = true;
});

export function setup(helper) {
  helper.whiteList(['script[src]']);
  helper.whiteList(['iframe[src]']);
  helper.whiteList(['div[id]']);
}

sorry I can not test it because I do not have my computer I am at work, I only have a tablet.

Mittineague · October 12, 2016, 6:14am

Looking at it more closely, I think the windguru code is going to be a problem. I’m not sure how to go about it, or if it’s even possible.

You are allowed to show forecasts for up to 10 different spots per website (domain)

But I’m sure if it is possible that the solution would be complicated.

Why not try the first two - windfinder and meteobkue - first and see how you get on with those.

EDIT
It looks like the easier approach for windguru would be to link to the site using links generated from this page:

http://www.windguru.cz/int/link.php

Alex_Rabolin · October 12, 2016, 11:53am

Thank you for your advice Precious, I’m content with thé two first Domains and if i need, I will add this one:

I pass this message SOLVED.
Thank you.

Topic		Replies	Views
Use categories or tags to structure a multilingual community admins multi-lingual , how-to	28	12358	January 18, 2022
Tag explanation - feature request feature completed	33	5750	September 17, 2022
Unformatted Code Detector theme-component official , unformatted-code-detector	41	7920	January 22, 2024
How can I whitelist a class in a theme? dev	15	2744	May 15, 2020
Supporting iframe embeds from different domains? feature	58	22139	August 30, 2018

Whitelist all the code inside of a div tag?

Related Topics