Removing tags variable from Reflect URL - My Forums

Re: Removing tags variable from Reflect URL

mrhaw — Jun 19, 2014, 03:24 PM

Quote from: mrhaw at Jun 20, 2010, 06:37 PM

Good catch of xss there!

Fix: Line 201 in tagging.extender.inc.php
$getTags = !empty($_GET[$dittoID.'tags']) ? strip_tags(trim($_GET[$dittoID.'tags'])) : false;
~~This should be added to JIRA for Ditto.~~ Done.

Way better $modx->stripTags()
https://github.com/mrhaw/evolution/commit/0fc2ccb08e2472cb57f405a20c518a6fc06c2b5c
https://github.com/modxcms/evolution/pull/279

Re: Removing tags variable from Reflect URL

hotdiggity — Jun 21, 2010, 07:16 AM

Thanks - great!

Re: Removing tags variable from Reflect URL

mrhaw — Jun 20, 2010, 01:37 PM

Good catch of xss there!

Fix: Line 201 in tagging.extender.inc.php

$getTags = !empty($_GET[$dittoID.'tags']) ? strip_tags(trim($_GET[$dittoID.'tags'])) : false;

~~This should be added to JIRA for Ditto.~~ Done.

Re: Removing tags variable from Reflect URL

esche — Jun 20, 2010, 09:50 AM

Quote from: mrhaw at May 11, 2010, 08:59 PM

Yes! Using regex I’d think.

I did it without phx, but with an additional snippet

runSnippet('Reflect', array(
'targetID' => 3,
'config'=>'wordpress' ,
'path'=>'3' ,
'tplContainer'=>'reflect_tpl',
'dittoSnippetParameters'=>'parents:3',
'id'=>'wp_',
'getDocuments'=>'1'
));
// echo $tmp; // Reflect's result 

$tmp = preg_replace ('/(&)?(wp_)?tags=[^&"]*(&)?(start=0&)?/is','',$tmp);
// clear url string wp_tags=xxx (from ditto) tags=xxx, start=0 (taglinks)  

echo $tmp;
//  [!Reflect? &config=`wordpress` &targetID=`3` &path=`3` &tplContainer=`reflect_tpl` &dittoSnippetParameters=`parents:3` &wp_tags=`` &id=`wp_` &getDocuments=`1`!]
?>

But two moments:

1. Similar pages: Ditto and Reflect add to URL links all $_GET parameters (it is one way to make "double pages":
_http://domain.tld/ditto_page?day=... &blabla=5 - this page make a lot reflect’s links with "...&blabla=5"

2. XSS: page _http://domain.tld/ditto_page?tags=http://modxcms.com>modxcms when use [+tags+] in content display link to any page

Any solutions?

ps. Sorry for my English...

Re: Removing tags variable from Reflect URL

mrhaw — May 11, 2010, 03:59 PM

Yes! Using regex I’d think.

Re: Removing tags variable from Reflect URL

hotdiggity — May 10, 2010, 09:53 PM

The placeholder for the Reflect URL is [+url+] - shouldn’t it be possible to use pHx to filter out tags in this placeholder?

Re: Removing tags variable from Reflect URL

hotdiggity — May 10, 2010, 08:30 PM

Like tagging in general?!

Re: Removing tags variable from Reflect URL

mrhaw — May 10, 2010, 08:17 PM

~~Here is one approach http://modxcms.com/forums/index.php/topic,37590.0.html~~

You need to edit the code to not preserve current url vars... as it uses Ditto
changing it will most likely break other functions!

Re: Removing tags variable from Reflect URL

hotdiggity — May 10, 2010, 06:27 PM

Would it be a matter of custom configuring no tags in the wordpress.config.php file?

Re: Removing tags variable from Reflect URL

hotdiggity — May 07, 2010, 12:40 AM

Seems this would be a limitation with using Reflect and Ditto tagging together in the same blog. Can’t find any documentation about configuring Reflect to ignore url tag variable, or have I missed something?