Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...Telerik HTML Editor in DNN 6.1.0Telerik HTML Editor in DNN 6.1.0
Previous
 
Next
New Post
11/3/2011 6:18 PM
 
Lee Drake


www.os-cubed.com
Joined: 5/2/2008
Posts: 29
Charles Nurse wrote:
Brett Levert wrote:
Adding my voice to the group not happy with the forced script removal.

Used on my website for:

- Inline twitter widget
- AdSense Code
- RSSPump.com news widget

On about 249 pages.

Will be avoiding the upgrade until a work around is given

Brett

There are many ways today to work around this issue while also upgrading to a more secure version of DNN.

Yeah - name me one that won't take hundreds of hours of updates.  I have customers that balk at spending 2-5 hours on just upgrading to a new revision.  By forcing this situation down our throats you basically guarantee that 90% of my customers will not be updating and be using less secure versions of your products.  Every customer I've told about this issue has said - leave my site alone, we can't afford the time to visit every module looking for code and extract it out into some other tool.

I should iterate the security fix ONLY removes script when saving the content in the HTML module.  One individual earlier in this thread said that the script was stripped from existing content - that is NOT true.  The script is removed when trying to save the content - either when creating a new instance of a module OR when updating the current module.

And how, pray tell is a user to know BEFORE editing that the thing they edited with the INVISIBLE script is going to be destroyed in a way that is irrecoverable as soon as they press the save button.  Without any warning that script content is being disabled.  And while removing content the USER ENTERED as they save it.  I've already rolled two clients back a revision because they unknowingly edited an essential tool in their system, destroying the content and couldn't recover from it, and lost revenue or transactions because you decided to play god and remove an existing feature without notice.

I would argue that the HTML/Text module is not the correct place to embed javascript in your page.  For all of the examples you use I would embed the javascript in my Skin or Container.  If I don't want it on every page I would have two versions of my Skin - one with the javascript widgets and one without.

You can argue that all you want.  I have users with hundreds of pages, with various customized advertising, tracking, video, flash and other scripts loaded.  Your change, if implemented without a workaround involves HUNDREDS of hours of work to undo those scripts.  If you wanted to argue the time to do it would be before you made changes to an open source core that destroy people's sites when they upgrade - not after.  This is the kind of arrogant vendor attitude that makes users furious - and convinces them to just move their content elsewhere.  If they're editing it anyway to modify all the scripts - they might as well just move it to another platform, or leave it as is and "risk it".  Most of my end users don't even know how to change skin or container, and don't ever want to.  That's why they have a CMS system - so they needn't go into the underpinnings and make code changes to add content to their page.  Scripts are content.  Frequently scripts CONTAIN content.  That content frequently needs to be mixed and added to the html content that is on the page - within the same module or container, not in a separate one.  That is why they picked the DNN product - they have the flexibility to perform things like that.  90% of the embedded scripts on my customer's sites are content related - advertising, widgets, etc.  probably 70% are there without my knowledge - the customer put them in themselves.   Are you saying that a user should be expected to make a skin change or write custom module code to put that content on their page?  Ridiculous.

Alternatively I would look at Will Strohl's Open Source Widgets.

Again - they're going to edit HUNDREDS of pages looking through their content for embedded hidden scripts to find the ones to export out to an entirely different module.  Whoops - they wanted to mix and match the script code with their html content - can't do that, sorry.
Thirdly - you could add the necessary javascript to the Page Header under page settings, but the text editor can be used by registered or anonymous users and is not the right place to allow javascript to be entered.

There is a perfectly suitable solution for this built into Telerik - it already has ROLE BASED PERMISSIONS.  There is a tag for whether to allow scripts to be embedded or not.  We can control that setting.  YOU chose to ignore it.  You also chose to put this at the core level, rather than leaving it up to the HTML editor provider so we can't even sub in a different HTML editor to fix the problem.

You can't add the javascript for an inline advertising script anywhere but where you want the inline advertising script to appear.

We may decide to open up some ability in the future - but I would argue that we did the right thing for the right reason.  When dealing with Security issues, the first priority is closing the hole as quickly as you can before the information leaks out into the public domain.  

So I guess this means - you are right, and every user whose ever entered a script in an html module (which we've all been doing for years mind you) is wrong.  I guess that the "community" in the case of this application is you.  Not us.  Interesting.  Maybe it should be renamed from "Community Edition" to something more appropriate.  Perhaps it's time for the community to take the core back and fork it so that we can create a version that serves our needs.

Once we have had time to review and fully understand the issue then we can consider mitigating the impact to the average user - by allowing host users to add js or by allowing host users to enable it in certain places.

We don't provide our clients with host user access.  Admin access should be all that is required.  Of course you could create a separate security role and use the built in Telerik configuration tool to determine which security roles are allowed to add script.  Just host is an unacceptable solution - many admin level clients have very legitimate reasons for allowing scripts to be embedded.  I do NOT want them also installing modules, and all the other things that hosts are allowed to do. 

That is a decision for the hosting company, the client and the developer.  Not for you.  I'll tell you what - you do this for your commercial customers and fork the core for the rest of us.  You can explain to them why you took a feature away from them and they are going to pay you $2500 a year for less functionality, as well as their vendor thousands of dollars to export all their code.  You can also explain why they have to give their admin level users host access so that they can get into the system to do their jobs.

As a platform  we need to protect our Reputation and this is what we did.

Let's see - no reputation loss or news anywhere that I've seen about the former state of things which EXISTED FOR 10 YEARS OR SO.  NOW however your users are all complaining about you taking a feature away that is going to cost them thousands of dollars and hundreds of man hours to fix but that's not a loss of reputation?

I would urge you to upgrade now - protecting your site should be your first priority - and as a Community lets figure out and document a better/safer way to do these types of things.

Not one of my production customers (commercial or CE) will upgrade until you resolve this issue - I won't allow it, too much risk of irrevokably destroying important content on their site.  It is too costly for most of my users.  There is no risk that they perceive to leaving it as it is, and it will cost them thousands to upgrade to the new revision as they plow through their pages looking for and somehow modifying code so it works.  Fix the security issue without breaking their sites.  Then we'll talk.

 
 
New Post
11/3/2011 7:24 PM
 
Charles Nurse


Charles Nurse's Avatar

Charles Nurse's Avatar

Joined: 2/9/2004
Posts: 3652
Mitchell, Lee,  Steven, Alain and others

So my problem here in defending/explaining what we did is that I cannot provide the whole story in order to explain this, because if I did I would be guilty of exposing the security threat to you (and others) - and thereby allowing malicious users the opportunity to exploit it.

What I can say is we received notice of this issue very close to our planned release date, and we were told that the exploit details would be made public soon and we should fix it quickly.

So, yes, we may have used a sledge hammer to crack a nut, but that's the nature of security issues - the first priority is to block the hole and get a fix out to users ASAP - we need to be responsible to the 500,000 users out there whose sites might be at risk.

The argument that the hole has been there for years is not valid IMHO - as a security hole is quite safe if nobody is aware of the exploit.  As soon as the exploit is made public we need to fix it.

Honestly - we do understand your frustration - we are working on a better long term solution but we made a decision to fix the security issue now - a decision I think most users in the Community (like Jan) will be happy with.
Charles Nurse
Chief Architect
Evoq Content Team Lead,
DNN Corp.

Want to contribute to the Platform project? - See here 		MVP (ASP.NET) and
ASPInsiders Member
View my profile on LinkedIn
 
New Post
11/4/2011 6:54 PM
 
Kevin Bauer

Joined: 8/21/2009
Posts: 5

While I agree that removing the script tags is more secure, we have too many users in our environment who have added script tags to their sites using the RadEditor provider for the HTML module. In our case, removing script tags has the potential to break hundreds of pages on dozens of sites. I found out about this change too long after upgrading to roll back, so I came up with a workaround for those who are interested. If you haven't already done so you'll need download the complete source version of DotNetNuke and install it on a dev machine. Because this workaround requires changing the source code and recompiling DotNetNuke.dll I won't recommend it as a permanent solution, but it works as a temporary solution.

The part of the DNN code that strips out the tags is found in the DotNetNuke.Library project, in the /UI/Usercontrols folder in a file called TextEditor.cs. You'll need to edit the "get" method for the public property "Text", as follows:

public string Text {
get {
PortalSecurity ps = new PortalSecurity();
string filterValue = string.Empty;

// DNN 6.1 Filters out > tags by default. We don't want this behavior
// so we'll just pass back the text from the editor without modifying it.
//filterValue = ps.InputFilter(TxtDesktopHTML.Text, PortalSecurity.FilterFlag.NoScripting);
filterValue = TxtDesktopHTML.Text;
switch (OptView.SelectedItem.Value) {
case "BASIC":
switch (OptRender.SelectedItem.Value) {
case "T": return Encode(HtmlUtils.ConvertToHtml(filterValue.ToString()));
//break;
case "R": return filterValue.ToString();
//break;
default: return Encode(filterValue.ToString());
//break;
}
default: return Encode(_richTextEditor.Text);
//return Encode(ps.InputFilter(_richTextEditor.Text, PortalSecurity.FilterFlag.NoScripting));
}
}
set {
if (!String.IsNullOrEmpty(value)) {
TxtDesktopHTML.Text = Decode(HtmlUtils.ConvertToText(value))
; _richTextEditor.Text = Decode(value);
}
}
}

Once you've made that change you need to recompile your solution, which should generate a brand-new DotNetNuke.dll reflecting your changes. The final step is to copy your new DotNetNuke.dll to the bin folder of your production server and you should be able to save script tags in your HTML module. Like I said, this is a temporary solution, as you'll need to make these changes to the code every time you upgrade. 

As far as future DNN releases are concerned, I think too many users are in the same situation as we are and have too many instances of the HTML module with script tags in them to dig through and move them to the page header or a third party module. As a compromise for future releases I'm in favor of removing the filtering of script tags from the DNN source code and instead relying on the RadEditor's native content filtering. I believe it's already been pointed out that the HTML Editor configuration page allows you to create different RadEditor Settings for different Security Groups. If DNN relied solely on the RadGrid's content filtering then people could just turn on the RadGrid's native content filtering for Registered Users and turn it off for Administrators. That way site administrators could have the flexibility they need without sacrificing security. Failing that, future releases of DotNetNuke could use a host or portal setting to determine whether to filter script tags or not. From what I've seen of the code it doesn't seem like it'd be that hard to change it to check against the host or portal settings before removing the script tags. 

In any event, I hope this code proves useful to someone, and I apologize for the length of the post. I'm definitely curious to see how this issue plays out in future releases.

 
New Post
11/4/2011 7:31 PM
 
Sebastian Leupold


Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

www.dnnwerk.de
Joined: 3/8/2004
Posts: 46212
Kevin B. wrote:

The part of the DNN code that strips out the tags is found in the DotNetNuke.Library project, in the /UI/Usercontrols folder in a file called TextEditor.cs. You'll need to edit the "get" method for the public property "Text

 Kevin,
you are right, this is where the change has been made - I was unable to locate it looking at source code on Codeplex, which seems to be dated - what I didn't expect from an open source project.

Cheers from Germany,
Sebastian Leupold

dnnWerk - The DotNetNuke Experts   German Spoken DotNetNuke User Group

Speed up your DNN Websites with TurboDNN
 
New Post
11/5/2011 9:46 PM
 
Wes Tatters


Wes Tatters's Avatar

Joined: 4/30/2004
Posts: 2155
Charles et al.

I think it would be fair to say that this "Security Patch" is about as elegant as telling a user to turn off their internet connection and never turn it on again if they dont want to get viruses.

The growth in popularity of things like jQuery means that many sites ARE looking to embed script as part of their html.  The same goes for any number of different 3rd party advertising and clickback tracking tools out there that rely on small blocks of script code being injected into pages.

Loading these scripts into a PAGE HEADER is not really an option - and well given that if a user already has permission to access the Page Header area or add a module like Wills script injector - the horse is already out of the gate - those people already have the access they need to put malicious script onto your site WITHOUT worrying about SCRIPT being stripped from a HTML module.

By using this sledge hammer you are actually in effect causing deliberate damage to many previously fully functional DNN web sites.  And at the same time preventing any such sites that are effected from upgrading to new dnn versions.

A far better solution would have been to make this "STRIPPING" an OPTION for upgraded sites ... Ever if it was a feature that was turned on by default - with an option for sites that understand the issues to be able to deactivate it.

For many of our sites where the ONLY users that access to HTML modules are admins - this would be a far better approach.

Frankly though this once again strikes me as yet another bad knee jerk decision - poorly thought out and even more badly implemented.

For a supposedly mature product - these actions continue to demonstrate the lack of system architecture fore-thought. 

And worse still - all this demonstrates once again the pointlessness of DNN beta releases - we download and test beta products on the basis that we are part of a process - yet it seems every time a beta ends with MAJOR core changes that fall thru to release without any proper testing or real world evaluation.

Westa
 
 Page 6 of 14
Previous123...567...14Next 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...Telerik HTML Editor in DNN 6.1.0Telerik HTML Editor in DNN 6.1.0


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out