Small width layout Medium width layout Maximum width layout Small text Medium text Large text
     Search
Downloads Downloads Directory Directory Forums Forums Forge Forge Blogs Blogs        Marketplace Marketplace Careers Program Careers
Community › Forums Register  |  

AspDotNetStoreFront
  Ads  
Iron Speed Designer is a software development tool for building database, reporting, and forms applications for .NET without hand-coding.
 


  Sponsors  

Meet Our Sponsors

MaximumASP
SourceGear - Tools for Developers
.: CounterSoft :.
telerik
ExactTarget email software solutions
Merak Mail Server
 


DotNetNuke Forums
 
  Forum  General DotNetN...  Configure It! (...  Preventing javascript in the Module Title
Previous Previous
 
Next Next
New Post 10/30/2008 6:25 AM
User is offline Steve Malkin
14 posts
10th Ranked


Preventing javascript in the Module Title 

I have noticed that when I add a text/html module to a page, I am allowed to enter javascript into the "Module Title:" box, and this code will be executed when the page loads.

e.g. try entering  "<script> malicious script')</script>" as the module title and the alert box will pop up when the page is loaded.

I would like to disable the possibility of entering script into the Module title field, does anyone know a way that I could do that?

Cheers

Steve

 
 
New Post 10/30/2008 6:52 AM
Online now... Rodney Joyce
1739 posts
www.smart-thinker.com
5th Ranked




Re: Preventing javascript in the Module Title 

I am not sure there is a way - but I can't think why I would want this - the people who are changing mod titles wanted to they could do a lot more damage without using XSS attacks - there may actualy be a case where you want to use Jscript in a title (I use links in titles a lot) - do you not trust your module admins? (if they can edit the title they can insert script into the body/footers/text directly anyway?)

Thanks,
Rodney
Smart-Thinker - Social Networking modules for DotNetNuke
The DotNetNuke Directory - Are you listed?
PokerDIY - Example Implementation of DNN Social Network
Do use DNN a lot? Try the DotNetNuke Toolbar to save you time!
 
New Post 10/30/2008 8:04 AM
User is offline Steve Malkin
14 posts
10th Ranked


Re: Preventing javascript in the Module Title 

Rodney,

It's not a huge problem, and we do generally trust people who we give editor rights not to do anything foolish.

But consider the situation where an admin has some 'finger trouble' and accidentally gives edit rights to 'registered users'  for that module rather than the proper editors group. I can prevent script from being entered into the RTE directly by configuration settings (we use Telerik RadEditor for our RTE) and the only other place they would be able to enter stuff is in the module title.

I cant think of any good reason why people should be able to enter scripts into the module title, so I'd just like to prevent the possibility of some nasty XSS attack by limiting input into that box to just plain text.

 
 
New Post 10/30/2008 3:13 PM
User is offline cathal connolly
2829 posts
www.cathal.co.uk
5th Ranked










Re: Preventing javascript in the Module Title 

as Rodney points out it's long standing functionality that's used by a lot of people so we can't simply add an InputFilter to it as we would with any public input fields - please record an enhancement request at the public forum @ support.dotnetnuke.com so we can consider adding an optional solution in a future release.

Cathal
 
 Page 1 of 1
Previous Previous
 
Next Next
  Forum  General DotNetN...  Configure It! (...  Preventing javascript in the Module Title
 


Forum Policy

These Discussion Forums are dedicated to the discussion of the DotNetNuke Web Application Framework.

For the benefit of the community and to protect the integrity of the project, please observe the following posting guidelines:

1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DotNetNuke.
2. Discussion or promotion of DotNetNuke product releases under a different brand name are strictly prohibited.
3. No Flaming or Trolling.
4. No Profanity, Racism, or Prejudice.
5. Site Moderators have the final word on approving/removing a thread or post or comment.
6. English language posting only, please.
 


Easily Build DNN Solutions with XMod
XMod makes it easy to build news articles, house listings, custom feedback forms, product reviews and much more - without programming
www.DNNDev.com 		Software Development and Integration with DNN
HNP Solutions focuses on the pragmatic use of technology and process to meet an organization's business objectives. HNP Solutions employs seasoned Enterprise and Solution Architects, Delivery Managers and QA & Business Leads. Our capabilities range from project assessments & recommendations, design & code reviews, to full program implementations. We also work with organizations in need of senior staff augmentation purposes in the areas of Enterprise and Solution architecture.
www.hnpsolutions.com 		Alki Homes - Seattle, WA
Exemplary service for your Seattle Real Estate needs. It's what you deserve from your Realtor®!
www.alkihomes.com

DotNetNuke Corporation   Terms Of Use  Privacy Statement
DotNetNuke®, DNN®, and the DotNetNuke logo are trademarks of DotNetNuke Corporation
Hosted by MaximumASP