Not signed in (Sign In)

Vanilla 1.1.10 is a product of Lussumo. More Information: Documentation, Community Support.

    • CommentAuthorT2
    • CommentTimeDec 22nd 2005
     
    Hi Everybody,
    I would like to insert a link within the image description text of the large photo. Is this doable.

    Thanks,
    T2
    • CommentAuthorddejong
    • CommentTimeDec 22nd 2005 edited
     
    It is entirely possible, it depends on whether the description text gets sanitized (before or after storage); if it does, remove the "htmlentities()", if it doesn't, just go ahead.

    Edit:

    Obligatory Security Advisory: Yes, this will open you up to SQL injections and XSS attacks, but only from the admin interface. If your admin interface is compromised your Plogger installation is kinda hooped anyway, so that wasn't really a consideration for the above. But do understand that htmlentities(), mysql_escape_string() and smartstripslashes() is used as a security precaution; removing them cannot but make your install less secure (something the Plogger team has been focused on of late).

    Cheers,
    Derek
    • CommentAuthorT2
    • CommentTimeDec 22nd 2005
     
    ddejong,
    Thanks for the speedy reply. Please excuse my ignorance, but I don't know what you mean by "sanitized". Could you please explain that.

    Thanks much,
    T2
    • CommentAuthorddejong
    • CommentTimeDec 22nd 2005
     
    No problem, T2, though I was editing my comment as you replied.

    When a query gets submitted to the mysql database server, there are certain characters and commands that mean special things, and if we don't strip out any potentially harmful stuff (for instance, they could delete your Plogger settings, or add malicious javascript that sent your visitors to Bob's hacking, spyware or porn site), your installation and your visitors can be compromised. We escape anything that could be misinterpreted by mysql (if you've ever seen /' in your titles, etc, that's because we escaped them but didn't take the escape character back out, and htmlentities() takes out anything that would be interpreted as (x)html by the browser, like tags).

    Like I said above, because it's in the admin panel, you just have to be careful that nobody else gets access (e.g. by leaving yourself logged in on a public terminal) and that you don't do any of the above accidentally (very difficult, but not hard to do something more innocuous, like screwing up an sql query).

    Cheers,
    Derek
    • CommentAuthorT2
    • CommentTimeDec 22nd 2005
     
    Thanks ddejong!........T2