Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...Telerik HTML Editor in DNN 6.1.0Telerik HTML Editor in DNN 6.1.0
Previous
 
Next
New Post
11/3/2011 5:10 PM
 
Jan Olsmar


www.olsmar.com/
Joined: 9/19/2005
Posts: 1354
I think it was a good decison.

Please keep on setting sequrity first.
 
New Post
11/3/2011 5:33 PM
 
Sebastian Leupold


Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

www.dnnwerk.de
Joined: 3/8/2004
Posts: 46212
maybe an additional module permission for "insert Script code" would be a quick fix, defaulting to superusers only. IMHO in the long term, we need "trust levels", associated with roles, opening up more or less "risky" actions to each user, according to the roles assigned (max level). Examples could be code install, use script, use HTML, access specific admin modules like file manager, user management, tab management.
Cheers from Germany,
Sebastian Leupold

dnnWerk - The DotNetNuke Experts   German Spoken DotNetNuke User Group

Speed up your DNN Websites with TurboDNN
 
New Post
11/3/2011 5:42 PM
 
Lee Drake


www.os-cubed.com
Joined: 5/2/2008
Posts: 29
cathal connolly wrote:
Im sorry it affects you so much - i will be blogging later tonight on the security blog as I always do when a release has security issues and will be mentioning this compromised functionality - however with the date of the report and the time left to release I had little other option but to make this fix (security is paramount over all other functions)- as previously mentioned I will be looking to alter this in 6.1.0/5.6.5 so that it respects the disablescripts setting in telerik which should allow sites the balance between security and functionality they require.

The time to blog about this and ask for user input on it was BEFORE you made the change - not a week after.
This is tantamount to Microsoft saying - In order to fix this security leak in TCP/IP we are going to just firewall all your incoming ports without asking you.  That is a nontrivial decision.
I guarantee you none of my clients will upgrade to 6.1 anything until you have a solution.
The severity of this newly introduced bug is just as big as the security issue that you were trying to fix.
 
New Post
11/3/2011 5:48 PM
 
Mitchel Sellers


Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

www.mitchelsellers.com
Joined: 1/24/2007
Posts: 7846
Charles Nurse wrote:
Brett Levert wrote:
Adding my voice to the group not happy with the forced script removal.

Used on my website for:

- Inline twitter widget
- AdSense Code
- RSSPump.com news widget

On about 249 pages.

Will be avoiding the upgrade until a work around is given

Brett

There are many ways today to work around this issue while also upgrading to a more secure version of DNN.

I should iterate the security fix ONLY removes script when saving the content in the HTML module.  One individual earlier in this thread said that the script was stripped from existing content - that is NOT true.  The script is removed when trying to save the content - either when creating a new instance of a module OR when updating the current module.

I would argue that the HTML/Text module is not the correct place to embed javascript in your page.  For all of the examples you use I would embed the javascript in my Skin or Container.  If I don't want it on every page I would have two versions of my Skin - one with the javascript widgets and one without.

Alternatively I would look at Will Strohl's Open Source Widgets.

Thirdly - you could add the necessary javascript to the Page Header under page settings, but the text editor can be used by registered or anonymous users and is not the right place to allow javascript to be entered.

We may decide to open up some ability in the future - but I would argue that we did the right thing for the right reason.  When dealing with Security issues, the first priority is closing the hole as quickly as you can before the information leaks out into the public domain.  

Once we have had time to review and fully understand the issue then we can consider mitigating the impact to the average user - by allowing host users to add js or by allowing host users to enable it in certain places.

As a platform  we need to protect our Reputation and this is what we did.

I would urge you to upgrade now - protecting your site should be your first priority - and as a Community lets figure out and document a better/safer way to do these types of things.

 I do not want to start a flame war here at all, but I do want to at least add a little bit to this from the other side.  Injecting scripts in this manner is something that has been allowed in DNN for years, and I mean YEARS.  I've been doing it ever since I started using DNN back in the 3.x days.

Why is this important to note?  Well my concern here is quite simple, there are some things that you just have to do with script in the Text/HTML module, or within the editor.  Some examples have been given before and I can come up with a lot more if you want examples.  Google Analytics is one that I'd agree could better go in the skin or use a module, but some of the others are not quite that easy, and sometimes the scripts need to be integrated in the middle of content, etc.

My concern with this issue, and my 15+ customers that have already contacted me about this item have concerns that yes, it has been a security risk, sure, other ways for SOME stuff is possible, but in the end right now, they can upgrade, change something and "boom" be done with their stuff and have no way to go back unless they use other modules/solutions. 

I understand security is paramount, but at the same time one of the biggest selling points of DNN has been that you can do what you need as a content editor, this includes the ability to integrate stuff like JavaScript.  In my site alone I have 4 objects that this will be an issue with and that will limit me from upgrading.  One of the 4 could be mitigated, but the other will not get me the same look and feed if I change the implementation.

-Mitchel Sellers
Microsoft MVP, ASPInsider, DNN MVP
CEO/Director of Development - IowaComputerGurus Inc.
LinkedIn Profile

Visit mitchelsellers.com for my mostly DNN Blog and support forum.

Visit IowaComputerGurus.com for free DNN Modules, DNN Performance Tips, DNN Consulting Quotes, and DNN Technical Support Services
 
New Post
11/3/2011 6:06 PM
 
Steven Roth


Joined: 11/29/2009
Posts: 63
The Javascript may NOT be stripped, but it does render is useless/block it/disable it.  On my site it did after the upgrade.  It's the reason I went into the html module in the first place.  I poked around made a change to the code and then...it was gone.  Whatever the changes that were made to the core, if you're using scripts in the html module..... **beware**.

Great way to go into the DNN annual conference! 
 
 Page 5 of 14
Previous123456...14Next 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...Telerik HTML Editor in DNN 6.1.0Telerik HTML Editor in DNN 6.1.0


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out