| Author |
 Topic  |
|
|
SiSL
Average Member
Turkey
671 Posts |
 Posted - 22 April 2008 : 03:59:21
|
If you are based on some different language like me which has different way of putting words into sentence, then this might help you a little bit on Snitz.
Ever seen URL's with Apostrophe? You know ' <- Single Quote. I personally didn't. But that often blocked my URL's in my forum. Because to say something at somedomain.com, my users often use apostrophe such as " at www.chip.com.tr ", in my language it is " www.chip.com.tr'deki " as you see, you get a weird domain (english 'at' added into domain itself), including single quote..
So this will be only good thing to do if you have weird users and weird language setup. Now how to quick heal that:
inc_func_common.asp (Goto Line 1539, well, end of the file) you will see following lines. Just remove the parts I marked with red... or you can manually remove every \'
<script language="javascript1.2" runat="server">
function edit_hrefs(sURL, iType) {
sOutput = new String(sURL);
if (iType == 1) {
sOutput = sOutput.replace(/\b(http\:\/\/[\w+\.]+[\w+\.\:\/\@\_\?\=\&\-\'\#\%\~\;\,\$\!\+\*]+)/gi,
"<a href=\"$1\" target=\"_blank\">$1<\/a>");
} else if (iType == 2) {
sOutput = sOutput.replace(/\b(https\:\/\/[\w+\.]+[\w+\.\:\/\@\_\?\=\&\-\'\#\%\~\;\,\$\!\+\*]+)/gi,
"<a href=\"$1\" target=\"_blank\">$1<\/a>");
} else if (iType == 3) {
sOutput = sOutput.replace(/\b(www\.[\w+\.\:\/\@\_\?\=\&\-\'\#\%\~\;\,\$\!\+\*]+)/gi,
"<a href=\"http://$1\" target=\"_blank\">$1<\/a>");
} else if (iType == 4) {
sOutput = sOutput.replace(/\b([\w+\-\'\#\%\.\_\,\$\!\+\*]+@[\w+\.?\-\'\#\%\~\_\.\;\,\$\!\+\*]+\.[\w+\.?\-\'\#\%\~\_\.\;\,\$\!\+\*]+)/gi,
"<a href=\"mailto\:$1\">$1<\/a>");
} else if (iType == 5) {
sOutput = sOutput.replace(/\b(ftp\:\/\/[\w+\.]+[\w+\.\:\/\@\_\?\=\&\-\'\#\%\~\;\,\$\!\+\*]+)/gi,
"<a href=\"$1\" target=\"_blank\">$1<\/a>");
} else if (iType == 6) {
sOutput = sOutput.replace(/\b(file\:\/\/\/[\w+\:\/\\]+[\w+\/\w+\.\:\/\\\@\_\?\=\&\-\'\#\%\~\;\,\$\!\+\*]+)/gi,
"<a href=\"$1\" target=\"_blank\">$1<\/a>");
}
return sOutput;
}
</script>
< |
CHIP Online Forum
My Mods
Select All Code | Fix a vulnerability for your private messages | Avatar Categories W/ Avatar Gallery Mod | Complaint Manager
Admin Level Revisited | Merge Forums | No More Nested Quotes Mod
|
|
|
blackinwhite
Average Member
Turkey
657 Posts |
Posted - 23 April 2008 : 04:08:02
|
| thanks for the tip< |
 |
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 23 April 2008 : 06:50:39
|
| not sure exactly what you are saying is wrong. do you have somewhere we can see an example ?< |
|
|
|
Shaggy
Support Moderator
Ireland
6780 Posts |
Posted - 23 April 2008 : 06:54:37
|
See here, Huw.
< |
 Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.” |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 23 April 2008 : 07:05:59
|
as far as I know a single quote isn't a character that is valid in any language in a url, and simply removing it from the regexp is not an effective solution as it could have other security related issues which need to be considered
it is valid, but not in the domain name itself, only in the path, removing the \' from the edit_hrefs function will cause valid urls containing the ' to be incorrectly parsed by the forum code, so for example having www.test.com/isn't/it would not parse it would remove the 't/it from the URL and become www.test.com/isn< |
|
|
|
SiSL
Average Member
Turkey
671 Posts |
Posted - 24 April 2008 : 05:18:50
|
Exactly HuwR;
Considering usage of URL's in my language, like " http://forum.snitz.com'a bakabilirsin" means "you can look to http://forum.snitz.com " , sacrificing number of really very limited URL's (which I never meet with test.com/isn't/it type of url's really) with "Apostrophe" in them... as examples 'de, 'da = at in English, 'a, 'e = to, 'den, 'dan = from
So with removing this \' in these regex's, I basically get safety of 99.9% of URL's covered, instead of 60% of them in my language usage... On the other hand, I considered safety measurements with this character, however, I failed to see it effecting any safety problems, since it is basically replacing a text that is ready to be given to user, not input from them...
< |
CHIP Online Forum
My Mods
Select All Code | Fix a vulnerability for your private messages | Avatar Categories W/ Avatar Gallery Mod | Complaint Manager
Admin Level Revisited | Merge Forums | No More Nested Quotes Mod
|
Edited by - SiSL on 24 April 2008 05:30:31 |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
|
|
SiSL
Average Member
Turkey
671 Posts |
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 24 April 2008 : 05:41:01
|
quote:
Originally posted by SiSL
Yeah, I considered that type of URL's, so I picked whichever used most. As I said, this is only for different locales that uses URL's such as in my language. If users want to post such rare URL's, they are always welcomed to use [url] [/url] tags :)
fair enough  just as long as you are aware of possible consequences that is fine.< |
|
|
| |
Topic |
|
[NOT-A-MOD] Different Localization URL fix
