Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Re: how visitors can submit thier article
Can you post the code you are using?
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
#14 2014-04-13 05:31:54
- raminrahimi
- Member
- From: India
- Registered: 2013-03-19
- Posts: 276
Re: how visitors can submit thier article
I tried with three different codes, still receiving all paragraphs in a one joined paragraph on the body area of article:
1:====>
<txp:zem_contact to="myemail@gmail.com">
<txp:zem_contact_text name="custom_2" label="Name" />
<txp:zem_contact_email label="E-mail" />
<txp:zem_contact_text name="title" label="Title" />
<txp:zem_contact_textarea name="body" label="Body" />
<txp:zem_contact_submit label="Send" />
<txp:etc_zemcontact section="default1" authorid="visitor" status="1" />
</txp:zem_contact>2:===>
<txp:zem_contact to="myemail@gmail.com">
<txp:zem_contact_text name="custom_2" label="Name" />
<txp:zem_contact_email label="E-mail" />
<txp:zem_contact_text name="title" label="Title" />
<txp:upm_textile_restricted>
<txp:zem_contact_textarea name="body" label="Body" />
</txp:upm_textile_restricted>
<txp:zem_contact_submit label="Send" />
<txp:etc_zemcontact section="default1" authorid="visitor" status="1" />
</txp:zem_contact>3:===>
<txp:zem_contact to="myemail@gmail.com">
<txp:zem_contact_text name="custom_2" label="Name" />
<txp:zem_contact_email label="E-mail" />
<txp:zem_contact_text name="title" label="Title" />
<txp:upm_textile>
<txp:zem_contact_textarea name="body" label="Body" />
</txp:upm_textile>
<txp:zem_contact_submit label="Send" />
<txp:etc_zemcontact section="default1" authorid="visitor" status="1" />
</txp:zem_contact>Offline
Re: how visitors can submit thier article
Did you try?
<txp:upm_textile>
<txp:zem_contact to="myemail@gmail.com">
<txp:zem_contact_text name="custom_2" label="Name" />
<txp:zem_contact_email label="E-mail" />
<txp:zem_contact_text name="title" label="Title" />
<txp:zem_contact_textarea name="body" label="Body" />
<txp:zem_contact_submit label="Send" />
<txp:etc_zemcontact section="default1" authorid="visitor" status="1" />
</txp:zem_contact>
</txp:upm_textile>Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
#16 2014-04-13 08:48:18
- raminrahimi
- Member
- From: India
- Registered: 2013-03-19
- Posts: 276
Re: how visitors can submit thier article
yes i did, but still have problem :-(
Offline
Re: how visitors can submit thier article
I would highly recommend to not save contents from a public form as articles. Unless you don’t care if your site gets hacked. I recommend using your storage for that type of custom content as Textpattern’s articles can not be used as safe storage.
While etc_zemcontact sanitizes and encodes the input similarly to Textpattern’s comments, and itself is safe in that regard, the article editor on the other hand, still uses full-featured Textile parser and allows the use of templating tags and server side code. This essentially creates a persistent RCE vulnerability that actives as soon as you re-save the article. As soon as you even remotely touch the article on admin-side, it’s contents will be re-parsed, activating the payload and the remote code gets executed on the next page view. At that point you can say goodbye to your site.
Using articles as storage is very dangerous. Do not do it despite whatever anyone says or is said in some guide.
Last edited by Gocom (2014-04-13 12:20:31)
Offline
#18 2014-04-13 15:41:50
- raminrahimi
- Member
- From: India
- Registered: 2013-03-19
- Posts: 276
Re: how visitors can submit thier article
Hi Gocom,
i appreciate your ideas and recommendations :-)
but i think those plugins are safe, i mean hacking proof. what do you think isn’t it ?
hmmmm, it mean i’ve to ignore that system, if my sites security goes low !
i’ve a news website and people are submitting their news, so what do you suggest to me for that system ?
Offline
#19 2014-04-15 09:01:28
- moon blake
- Member
- From: near Hannover, Germany
- Registered: 2009-07-16
- Posts: 76
Re: how visitors can submit thier article
Gocom wrote #280216:
I would highly recommend to not save contents from a public form as articles. Unless you don’t care if your site gets hacked. I recommend using your storage for that type of custom content as Textpattern’s articles can not be used as safe storage.
…
Using articles as storage is very dangerous. Do not do it despite whatever anyone says or is said in some guide.
Thanks for the warnings, Jukka. Would you consider it still as dangerous if the public form for submitting an article is only visible for logged-in users?
Offline
Re: how visitors can submit thier article
moon blake wrote #280240:
Thanks for the warnings, Jukka. Would you consider it still as dangerous if the public form for submitting an article is only visible for logged-in users?
Yes, depending who those users are. You should only accept articles from users you are willing to give full access to the admin-side interface. Those same potential persistent RCE, XSS and CSRF vectors exist regardless. The least you want to do, is to:
- Disable plugins (Textpattern’s template tags can be used to execute any functions from the codebase).
- Disable PHP tags (as those allow injecting PHP to those articles).
- Lay and pray that no template tags can be used to RCE (as template tags can still be used to execute any function from Textpattern codebase, not just tag handlers).
- And you need to screen all articles very carefully before you re-save them and do not use the preview feature (as the preview would execute any injected code).
And even then the admin-side interface has some persistent XSS spots (that can be exploited through stored content and non CSRF-protected requests). The only real option you have, is to use something else than articles to store user content on 4.5.x and older.
On the current dev branch (4.6.0-dev) on the other hand you can use articles, if you create a new TextFilter that run the content through PHP-Textile in restricted parser mode. Articles, and the admin-side interface, are safe in 4.6.0 and do not open up non-designed XSS and RCE vectors as long as the content is processed properly.
raminrahimi wrote #280219:
what do you think isn’t it ?
I outlined the reasons in my previous post. But you can of course go against my recommendations. As a developer of Textpattern, I can clearly say that Textpattern’s articles are not designed for that purpose and the whole system is filled
Last edited by Gocom (2014-04-15 11:44:42)
Offline