script tag is not accepting in wcs7 management center in E-mail activity content, how to achieve this??
i would like to add a js file in email content
for that am using tag
but management center not accepting script word
giving error like script is a prohibited characters
This restriction has been done to protect the application from XSS attack ( cross site scripting ).
You can try by disabling XSS protection.
Steps
Open the following file:
LOBTools.war/WEB-INF/web.xml
WebSphere Commerce Developer LOBTools/WebContent/WEB-INF/web.xml
See Management Center Web application file locations for more information.
Search for and remove the following snippet:
com.ibm.commerce.security.crosssitescriptingprovider
com.ibm.commerce.foundation.internal.client.security.impl.
ClassicCommerceCrossSiteScriptingProviderImpl
Save your changes and close the file.
Deploy your changes.
But please keep in mind that by doing so you are making your app vulnerable to XSS attack.
There is a black list filter definition in wc-server.xml that is checked on all incoming requests. If the request matches the filter, it gets rejected.
The script html tag is a part of that black list to prevent anyone from injecting potentially malicious content.
Removing this black list isn't recommended.
Also, it's usually not recommended to insert scripts in e-mail as most mail providers will strip them out for security reasons.
Related
I'm using the free JS plugin from tinymce and interested in preventing an HTML injection with the tinymce text editor.
I've added this property to the INIT:
invalid_elements: 'script' (just for this example)
However nothing happens. The editor still "accepts" the script tag and pass it on.
I looked at https://www.tiny.cloud/docs/tinymce/6/content-filtering/#invalid_elements and it should work but I don't see any change once it's added.
Am I doing something wrong?
Is there a way to limit some HTML elements with this editor?
Any other tips on how to use that editor and prevent the malicious HTML..?
TinyMCE certainly has a variety of configuration options to help you control what content is created in the editor but you can never assume that data provided to you client side is "clean" or "safe". Nefarious people can bypass your front end and all of its validation if their goal is to cause harm to your system.
You should always configure your front end appropriately. TinyMCE has a variety of configuration options to assist with content filtering/validation (https://www.tiny.cloud/docs/configure/content-filtering/) to only allow those types of tags you want created, etc including:
https://www.tiny.cloud/docs/configure/content-filtering/#valid_elements
https://www.tiny.cloud/docs/configure/content-filtering/#extended_valid_elements
https://www.tiny.cloud/docs/configure/content-filtering/#valid_children
https://www.tiny.cloud/docs/configure/content-filtering/#schema
https://www.tiny.cloud/docs/configure/content-filtering/#invalid_elements
However, regardless of the front end design, you should always re-check submitted content on the server to ensure it is safe. There is simply no way around that need. What constitutes "safe" is likely a business decision based on what your application does and who uses it.
There are many different libraries you can use server side to do this sort of validation/cleansing so depending on your specific server side setup you can find libraries that allow you to "sanitize/purify" the submitted HTML.
I would note that TinyMCE (by default) should not allow <script> tags in your content so it is likely that such behavior could be due to your current configuration.
Below is some info to have context about the problem I am looking for solution:
"I only want to have a prod environment for contentful. the preview url is being used for UAT and Dev environments. So if the content is in the draft it will be reflected in Dev and UAT and when published it will be reflected in both environments as well as Prod".
Now the issue is there are some links in content that has a prod domain like www.[prod-domain]/blah blah, I need those URLs domain to be replaced with UAT or Dev domains in the draft (depending on environment) like www.[UAT-domain].blah blah
Is there any middleware for this? if not, what's the best way to achieve this in-app?
Salma from Contentful here!
If you use relative links in the content (e.g. /blahblah), they would automatically resolve to the current domain when navigated to on the front end.
If you're using Rich Text and outputting links in the flow of the text, you could get around the protocol requirement in the usual link formatter by creating a custom 'internal link' entry content type, which you can embed as an inline entry. For this content type, you could ask editors to provide a path to a page without the https protocol and domain, and ensure there is validation for that in the web app (using the pattern validation).
Another option would be to remove the protocol and domain from the urls when rendering on the front end to avoid the editors having to create extra entries when adding content to the Rich Text field.
One of the schools I support want to start teaching basic web design to their students, and would like to use google sites to do so. We need to be able to block google gadgets from the sites so that there is no risk of inappropriate content being shown to the students. Previously this could be done with domain gadget directory manager but from what I understand this stopped working when https got switched on for everything. All the places I have looked predate the https change and no longer seem to work. Does anyone have any ideas?
There is an utility called google feedserver
PrivateGadgetAdministratorsGuide
describes how to tweak http/https:
What you can do is to copy the body of XML and change http:// links to
.js files to https:// and then host this file somewhere.
I have developed a front-end system plugin for Joomla 3.0 which replaces keywords for HTML formatted objects. This works perfectly in my local lab environment but when installed on the hosted site (WHM/cPanel) it causes issues with the administration area and prevents the administrators from editing the articles.
When the administrator clicks on a article to edit the page attempts to load then appears to go back to the same page. I have developed this as a front-end plugin only so I shouldn't affect the administration area.
The problem is also preventing admin from creating anything new (news, blogs, content, menu items etc.)
As this does not happen within my lab I can only assume the issue is with some server settings which I may need to enable/disable. I have complete administrative access to both WHM, cPanel and Joomla so can change settings where ever needed...
Things I have observed:
The article URL changes from:
/administrator/index.php?option=com_content&view=article&layout=edit&id=7
to:
/administrator/index.php?option=com_content&view=article&layout=edit&id=7
when the plugin is enabled. Notice the ampersand has changed to amp;. This makes me think it could be something to do with UTF-8 character encoding has been set in MySQL to utf8general_ci.
Any pointers on configurations I may need to change would be greatly received.
Question: How do I prevent this from occurring (without removing my essential plugin).
If you create System Plugin that should work only on front-end you have to check in your plugin if current page is front-end. You can do it using this function: JFactory::getApplication()->isSite() or JFactory::getApplication()->isAdmin()
Example usage (I assume you use onAfterRender event):
function onAfterRender() {
// Exit if current page is from Administration panel
if( JFactory::getApplication()->isAdmin() ) return;
/* your plugin main code goes here*/
}
It will prevent your plugin from modifying administration panel output. If you already done it and it does check like it should to, there is no way that reason of your problems is that plugin.
As a side project I tutor grandparents and other computer novices in Computer & Internet 101, from physically using a mouse to dealing with e-mail/searching/etc. Web development isn't really my area of focus - I do have reasonable HTML/CSS/Javascript etc skills, so I can throw together a decent-looking simple, static site - but occasionally I get asked to put together extremely simple websites for these people, that they can update themselves; that is, edit text-based content without giving Grandpa a heart attack by making him come face-to-face with HTML/Javascript.
I've waded through a mile-long list of CMS software - largely culled from the many other similar questions on SO - but they've all got something ruling it out: hosted, restricts the design (can't use w/existing CSS, looks "Word-press-y", etc), not free/FOSS, etc. I wonder if "CMS" is even the right word for what I'm looking for. What I need is a simple text editor for the client: that is, something that will give the client a text box of some variety, let them edit it, and update the content with that info. They can't mess with navigation, add new pages, change anything other than text. If it was really fancy, they could upload a picture.
I was planning to do this just with a couple of password-protected php forms, but thought I'd ask if there's anything already out there that might provide this functionality? Any suggestions on building my own version of this, in PHP or something else?
What I'm really interested in is:
1) the simplicity/customize-ability of the admin interface (or lack of admin interface, if the client could somehow edit directly in the page), and
2) ease of set up for me (not getting paid much if at all for this, don't want to wade through three million plugin options to figure out how to get some unwieldy, high learning-curve framework to do what I want).
Try pulsecms.
Here is another very simple CMS that has JQuery and modernizr , HTML5 Boilerplate and TinyMCE.
I have my wife setup with Windows LiveWriter
http://explore.live.com/windows-live-writer?os=other
This means that she just builds her articles as if she is using a word processor (almost exactly the same) and then just uploads the article to her blog. I use Blogengine.net to host the blog on a Godaddy hosting solution.
Blogengine comes with built in support for LiveWriter and only required that you input the address, username and password in.
I understand this is an old post, but i hope someone find this of interest.
You could give the users the instruction to upload text files to the site, and the have the HTLM/PHP/ASP pages load the context of such .ts files.
Each web page should have a specific named .txt file associated.