Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...Telerik HTML Editor in DNN 6.1.0Telerik HTML Editor in DNN 6.1.0
Previous
 
Next
New Post
12/6/2011 11:15 AM
 
Lee Drake


www.os-cubed.com
Joined: 5/2/2008
Posts: 29
Cathal - let me explain a little something about users. We don't care (and by we I mean both WE as in partners that help clients implement sites and clients who actually use their sites) what YOU call something - WE call it a bug when a feature that did work now no longer works. All these arguments that it wasn't a "feature" before and that you didn't "break" it are so much sophistry. It doesn't really matter what you as the author of the product think AT ALL. It especially doesn't matter in the case of an open source product. Sorry if that disturbs your ego, but if the client thinks it's broken and you broke it the proper response is - we're sorry, we screwed up, here's how we'll make sure that doesn't happen again. Even an apology (which I still haven't seen in any serious way from a DNN employee) saying "we're sorry that we cost you dozens of hours of time and effort AND DOLLARS rolling back or fixing the problem" would be nice.

The update DID break something. It broke the ability for DNN to perform a function it had performed in the past, in a non obvious manner, without adequate warning about what it was doing. It was done without consulting users, or considering the huge impact it had on sites. Again - the proper response here is not "we didn't do anything wrong" it's "we're sorry we screwed up here's how we'll do it better next time".

When developers get arrogant about end users requirements that spells the end of that platform. I've lived through the transition from multiple platforms over the 30 years I've been doing this and this is exactly the kind of attitude that takes a platform from a well supported and popular user evangelized platform to one that ends up in a death spiral because they totally forgot who it was they needed to satisfy. I'd rather not see DNN head down the path of similar platforms I've grown to love (and eventually abandoned as the company abandoned it's users). Anyone remember Novell Inc? How about DataEase? Hayes modems? Kodak? Turbo Pascal? Don't force yourself down the path of arrogance - it's a hard row to hoe without your end users supporting and endorsing you.
 
New Post
12/6/2011 12:25 PM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676

I'm sorry if I haven't made it clear before (though i believe I've apologised a few times for this) but I do apologise for any impact this caused. Once the impact of this was apparent we immediately dropped other items and focussed on resolving it (without reopening the identified security vulnerability) and were able to get a new release out in record time (despite half of the team being enroute to dnnworld)

Security issues tend to be a seperate classification from other items as security of the platform overrides other requirements, and sometimes will require functionality to be compromised e.g. we remove the ability for admins to upload skins as skins can contain code (which would allow an admin the ability to steal hosts credentials/execute sql etc.). This was an unpopular change (I still field requests to add it back in regularly) but in this case necessary as security trumped functionality. This is not arrogance from myself or the security team, we think hard about these functional changes as any reduction in functionality always has an impact.

In the case of this bug, I made a similar judgement call where I felt the fix was serious enough to require immeadiate resolution -the plan had always been to put the fix in place and then later update it to provide the users more control (to be able to enable/disable on individual html modules). However, I underestimated how many people were using this functionality - this was solely my fault and probably comes from me never personally using this approach. Whilst we do have code-reviews in place and the code was reviewed by another engineer, they similarly did not anticipate the impact. Since then we have put in place a process by which security items are reviewed by folks from our business and QA areas, as well as other engineers and architects, to ensure a broader consensus of users (and users with different approaches and technical levels) is reached, so that a security fix should never have this issue again.

Over the years I've checked in fixes for 58 different security issues, and this is the first one that's had this level of impact. Whilst I fully appreciate the severity of the impact, I hope that shows that we do work hard to maintain the balance of ensuring the security of the platform whilst not impacting the requirements of it's users - that said one mistake was still one too many, and not one we hope to ever repeat in the future.

Cathal

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
12/6/2011 1:35 PM
 
Tim Capps

www.cappsnet.com
Joined: 12/27/2005
Posts: 27

Well said, Cathal.
 
New Post
12/9/2011 3:28 PM
 
Ed DeGagne


Ed DeGagne's Avatar

www.southvillagesoftware.com
Joined: 12/2/2003
Posts: 420
Lee Drake wrote:
Thank you for the swift resolution and for listening to your users.  I can confirm that on my sites where we're allowing it, you can edit html and if the checkbox is off on the editor you can have it not remove scripts etc.

 Just got a project I am working on upgraded to 6.1.1 from 6.1.0.

Where is this checkbox? Not seeing it....

Ed DeGagne
South Village Software
 
New Post
12/9/2011 3:53 PM
 
Lee Drake


www.os-cubed.com
Joined: 5/2/2008
Posts: 29

Ed,

Step 1: Install a copy of the HTML administration module

Step 2: in either a custom configuration linked to a user group, or in the default (not recommended) you can check or uncheck a box that allows you to strip script from input html in the telerik editor.  Be sure you've changed your default to that editor as well.
 
 Page 11 of 14
Previous123...101112...14Next 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...Telerik HTML Editor in DNN 6.1.0Telerik HTML Editor in DNN 6.1.0


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out