bbPress formatting issue

[romik84]

Hi,

new version 2.8.3 strip formatting of the bbPress threads and it displays in a plain text. Thanks.

[alexstine]

Hello,
Same problem here, possible issue in code can be located below.
https://wordpress.org/support/topic/crayon-plugin-strips-tags-on-my-forum-content#post-8288720

Thanks.

[aramk]

The removal of the tags was in response to the plugin being pulled due to a potential XSS (Cross-Site Scripting) issue. If a script tag or attribute is included in the tags, it can execute this when the page renders. I'll need to work towards a solution to allow all safe tags.

[alexstine]

Hello,
Possible fix can be found over here.
https://wordpress.org/support/topic/crayon-plugin-strips-tags-on-my-forum-content?replies=9#post-8350183

Thanks.

[aramk]

Ideally I'd like to blacklist any event attributes like onload and not whitelist all possible tags, since this would tamper less with user input.

[alexstine]

Hello,
True, however, I would not know how to do this in PHP, this seems like a quick fix until we can figure something else out.

Thanks.

[aramk]

Can you download the zip for 9e47ee4 and give it a go? It should only scrape script tags and event attributes which is sufficient to prevent XSS attacks I think.

[alexstine]

Hello,
I will try to test it on my test site by the end of the week.

Thanks.

[alexstine]

Hello,
Where and how do I download this .zip folder?

Thanks.

[aramk]

You can find it on the main github page for the project. The direct link is here: https://github.com/aramk/crayon-syntax-highlighter/archive/master.zip

[aramk]

I've had another user verify by email that the fix worked. I'll wait for a few others to confirm here before releasing.

[alexstine]

Hello,
Sorry for being lazy and not getting this tested as fast. It seems to be working, I would go ahead and push the update. Then you can let the users point out anymore bugs. With that line of code commented, that leaves your site open to all kinds of bad code.

Thanks.

[aramk]

Would be able to test the latest download again? I've made a further change to return plain text from the AJAX call, but it shouldn't affect the bbPress highlighting which is still working for me.

[alexstine]

Hello,
I just used your link above to download it again. I am guessing this is what you wanted us to test. I will test this in the next couple of hours and post back.

Thanks.

[alexstine]

Hello,
I just tested it from the link above, now this error is showing.

Warning: Missing argument 2 for CrayonUtil::strip_event_attributes(), called in /public_html/wp-content/plugins/crayon-syntax-highlighter/crayon_wp.class.php on line 204 and defined in /public_html/wp-content/plugins/crayon-syntax-highlighter/util/crayon_util.class.php on line 851

Thanks.

[aramk]

Thanks for testing. I've fixed that issue. That was a warning so it should otherwise be working?

[alexstine]

Hello,
Yes, it is working. Should I download and install the latest version again so that warning goes away?

Thanks.

[aramk]

Great! Up to you, but I should be able to publish this soon. Waiting on
feedback from one more person.

On Sun, May 8, 2016 at 12:56 AM Alex S notifications@github.com wrote:

Hello,
Yes, it is working. Should I download and install the latest version again
so that warning goes away?

Thanks.

—
You are receiving this because you commented.

Reply to this email directly or view it on GitHub
#347 (comment)

[alexstine]

Hello,
Alright, sounds good. I will go ahead and install the latest version to make the warning go away and check just to make sure everything is working good.

Thanks.

[alexstine]

Hello,
Just checked again, now the warning is gone.

Thanks.

[alexstine]

Hello,
Um, the update you released tonight has a major problem that needs to be fixed immediately. The update strips the paragraph tag from the BBPress topic and reply content.

Could you please look in to this? The beta version worked fine, you release the update and it screws up my forum. Not cool.

Thanks.

[aramk]

Hi, 2.8.3 is still the latest version released through Wordpress plugins. I haven't released anything yet. I suspect you updated back to this version from the 2.8.4 beta. Since the beta is not released, it will ask you to update to the latest (2.8.3) which reverted the fixes in 2.8.4 beta.

[alexstine]

Hello,
That makes since. Please update this when you push the new version out.

Thanks.

[harrymilatz]

Hello,

will be there an update (maybe just update the readme.txt) to WordPress 4.5.x?

I found no issue at the moment, so it could be enough to change the "tested up to" in the readme.txt

In the last updates the "tested up to" tag wasn't changed.

Best regards,
Harry

[aramk]

Updated this in e881910. Version 2.8.4 has been released.

[luxint66]

Thanks for the update. It's not stripping html from my forum now but it is stripping jwplayer <script> tags. Is there a way to whitelist certain tags without hacking the code?

Thanks

Lux