Navigation

Comments Tweak 5

22 March 2009

Well, it's time for another Comments release. This one's pretty big as well. Not as security-oriented as Release 4, of course, but it is of some importance. This release incorporates a new feature: the admin panel. All comments posted from installation on are shown available to be deleted from within the Comments interface.

Basically, here's a summary of the new features:

• Code clarity has been improved once again (more comments!)
• All new comments now have a permalink.
• All new comments are eligible to be deleted via...
• The admin panel

For those still worried about security, however, there's still a major issue in the wild. Releases 4 & 5 are still vulnerable to a Javascript attack through the [url] tag.

Bookmarklets Launched

19 March 2009

I've been writing a few bookmarklets (see Wikipedia), and decided it was time to share them. At the moment, I only have two (Mailinator and Let Me Google That For You), and all they are are shortcuts to/for the websites, but they are both effective and working. Check them out!

Another Comments Tweak Update

18 March 2009

This one's way more important than any update before it (aside from the announcement). There were many security flaws in Releases 2 & 3. For starters, there were just basic XSS exploits, since style tags weren't stripped from the allowed tags. There was also your basic Javascript attack, since onclick and all other attributes weren't affected either.

However, Release 4 brings with it a suite of security measures. The sanitation function is applied to the username field (fun fact: it wasn't before, so <script> tags could have snuck in if people had tried). All HTML is now stripped via that same function. As for markup... R4 brings a lightweight version of BBCode with it, allowing only the following tags:

• [b] (bold)
• [u] (underline)
• [i] (italics)
• [url] and [url=] (links)

It's a major step forward for Comments: the BBCode parser is just a set of regexps, so any admin can easily add his/her own BBCode tags.

Also, just as a sort of tease for a future release, an admin panel is in the works. At the moment, you only have the option to re-run the initial setup (at this point, just make the needed directory & files). However, once I'm done, you'll be able to edit and delete comments from any page that has them.

Comments Tweak Security Update

17 March 2009

Thanks to a bunch of testers from the NanoCMS forums, I've added some basic security to the Comments Tweaker. The inputs are sanitized so everything but <b>, <i>, <u>, <a>, and <br> is stripped. The basic PHP commands that were run (expanding the page by a few screens) are now out as well. If you want a quick demo, I tried the approved and a few unapproved tags over in the 3rd comment of the Release 2 post. It worked like a charm. Be sure to upgrade!

Comments Tweak Release 2

17 March 2009

There have been some issues with Comments Tweak, but they were resolved over 2 code revisions. Revision 19 has been dubbed the official Release 2.

Bugfixes

• Fixed a bug where News Page post comments were saved to the wrong file
• Re-adjusted some variables for code quality

| News | About | NanoCMS