Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...Telerik HTML Editor in DNN 6.1.0Telerik HTML Editor in DNN 6.1.0
Previous
 
Next
New Post
11/2/2011 9:29 PM
 
Alain Ramon

Joined: 1/30/2009
Posts: 2
Is it a joke?
I discovered this post as I upgraded to DNN 6.1 and got the JS issue.
I'm furious. DNN is going back to the stalinian era.
You should fix this quickly as a lot of customers won't appreciate.
 
New Post
11/2/2011 10:49 PM
 
Brett Levert


makethemworkforyou.com
Joined: 7/29/2011
Posts: 14
Adding my voice to the group not happy with the forced script removal.

Used on my website for:

- Inline twitter widget
- AdSense Code
- RSSPump.com news widget

On about 249 pages.

Will be avoiding the upgrade until a work around is given.
 
New Post
11/3/2011 3:04 PM
 
Charles Nurse


Charles Nurse's Avatar

Charles Nurse's Avatar

Joined: 2/9/2004
Posts: 3652
Brett Levert wrote:
Adding my voice to the group not happy with the forced script removal.

Used on my website for:

- Inline twitter widget
- AdSense Code
- RSSPump.com news widget

On about 249 pages.

Will be avoiding the upgrade until a work around is given

Brett

There are many ways today to work around this issue while also upgrading to a more secure version of DNN.

I should iterate the security fix ONLY removes script when saving the content in the HTML module.  One individual earlier in this thread said that the script was stripped from existing content - that is NOT true.  The script is removed when trying to save the content - either when creating a new instance of a module OR when updating the current module.

I would argue that the HTML/Text module is not the correct place to embed javascript in your page.  For all of the examples you use I would embed the javascript in my Skin or Container.  If I don't want it on every page I would have two versions of my Skin - one with the javascript widgets and one without.

Alternatively I would look at Will Strohl's Open Source Widgets.

Thirdly - you could add the necessary javascript to the Page Header under page settings, but the text editor can be used by registered or anonymous users and is not the right place to allow javascript to be entered.

We may decide to open up some ability in the future - but I would argue that we did the right thing for the right reason.  When dealing with Security issues, the first priority is closing the hole as quickly as you can before the information leaks out into the public domain.  

Once we have had time to review and fully understand the issue then we can consider mitigating the impact to the average user - by allowing host users to add js or by allowing host users to enable it in certain places.

As a platform  we need to protect our Reputation and this is what we did.

I would urge you to upgrade now - protecting your site should be your first priority - and as a Community lets figure out and document a better/safer way to do these types of things.

Charles Nurse
Chief Architect
Evoq Content Team Lead,
DNN Corp.

Want to contribute to the Platform project? - See here 		MVP (ASP.NET) and
ASPInsiders Member
View my profile on LinkedIn
 
New Post
11/3/2011 3:10 PM
 
Charles Nurse


Charles Nurse's Avatar

Charles Nurse's Avatar

Joined: 2/9/2004
Posts: 3652
Ray Gerstner wrote:
Thanks for the heads up on this upgrade flaw. If I hadn't come across this post I would be in deep crap now. This is ridiculous. All HTML editors in DNN needs to support embedded Javascript. It is kinda like giving someone a car but removing the steering wheel and saying "Have fun driving'.

 Ray

I understand your frustration - but there are ways to work around this (see my earlier post in this thread) - the HTML module is not the right tool for the job.

But I have to comment on your car analogy.

IMO a more accurate analogy is - "We gave you a car but forgot to put locks on the door and all you needed to start the engine was to push a button.  Now we have placed locks on the doors and required you to use a key to start the engine, so that your car doesn't get stolen".

Charles Nurse
Chief Architect
Evoq Content Team Lead,
DNN Corp.

Want to contribute to the Platform project? - See here 		MVP (ASP.NET) and
ASPInsiders Member
View my profile on LinkedIn
 
New Post
11/3/2011 4:49 PM
 
Alain Ramon

Joined: 1/30/2009
Posts: 2
I'm sorry, but you're wrong.
You locked the doors (thanks, we feel more secure) but didn't give us the keys. To free ourselves, we have to find a crowbar elsewhere (thanks Mr. Strohl for your JS injector).
We lived with this "huge" security hole for a while, it wasn't so urgent. Right thing would have been to fix the security issue and let users make their own decision: open or lock the door, not your authoritarian choice which of course isn't your users' one.
Last July, I decided to use WillStrohl JS injector. I'm very happy with it. I'd prefer a pure DNN solution, not this kind of misunderstanding of your own users.
Kind regards.
 
 Page 4 of 14
Previous12345...14Next 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...Telerik HTML Editor in DNN 6.1.0Telerik HTML Editor in DNN 6.1.0


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out