mack
  •  mack
  • 100% (Exalted)
  • YAF Commander Topic Starter
2009-01-28T09:08:08Z
I installed FCKEditor as my default editor. I haven't tried it, but thinking about this..

Using Firebug, you can edit web pages and it updates them locally. This makes it very easy to "hack" client-side scripts... such as FckEditor's configuration scripts.

By modifying FCkEditor configuration script, you can add the toolbar 'Source' which you can then successfully edit the forms direct source code. You can add javascript, divs, etc. I added a div by clicking source and YAF accepted it.

I'm not saying how to do this, it's not as simple as you may think but it is possible I would imagine.

Any thought on this?
Sponsor
test2005
2009-01-28T09:19:22Z

I seem to recall a similar discussion on this awhile ago. The topic name escapes me though.

What your descibing is possible. However, if you tried to post back to the application, you would get a "..invalid viewstate..." error, or something like that (brain overloaded ATM ). Now if someone had out of the box security disabled in both ASP.Net and YAF AND was running the site in JIT mode, then you could do it. But, out of the box, compiled, not a snowballs.

M2CW

:)



.....the man in black fled across the desert..........and the gunslinger followed.....
mack
  •  mack
  • 100% (Exalted)
  • YAF Commander Topic Starter
2009-01-28T13:32:02Z
test2005 wrote:


I seem to recall a similar discussion on this awhile ago. The topic name escapes me though.

What your descibing is possible. However, if you tried to post back to the application, you would get a "..invalid viewstate..." error, or something like that (brain overloaded ATM ). Now if someone had out of the box security disabled in both ASP.Net and YAF AND was running the site in JIT mode, then you could do it. But, out of the box, compiled, not a snowballs.

M2CW

:)





You sure? Firebug I can rename text boxes, change HTML, etc all from within Firebug. I don't see why you can't edit the client source 'config' file and add 'Source' which would add a source button on the rtb box.

I messed with it for 5 minutes.. I assume your browser will download a new version of the js file if it detects a change or outdated version on the client side.
Jaben
  •  Jaben
  • 100% (Exalted)
  • YAF Developer
2009-01-28T16:01:31Z
Not a security issue. Even if they have "source" access.

YAF accepts HTML fine -- it also filters out any HTML that's dangerous, of course. Everything is configurable.
mack
  •  mack
  • 100% (Exalted)
  • YAF Commander Topic Starter
2009-01-29T03:32:17Z
Jaben wrote:

Not a security issue. Even if they have "source" access.

YAF accepts HTML fine -- it also filters out any HTML that's dangerous, of course. Everything is configurable.




Sweet :-d

About Us

The YAF.NET is an open source .NET forum project. YAF.NET is supported by an team of international developers who are build community by building community software.

Powered by Resharper Donate with PayPal button

Project Twitter Updates

Copyright © YetAnotherForum.NET & Ingo Herbote. All rights reserved