Welcome to Geeklog Friday, August 14 2020 @ 04:16 am EDT

Security

Suggestions for filtering CSS url( ) images?

  • Thursday, January 30 2003 @ 06:19 am EST
  • Contributed by:
  • Views: 15,860
Security

While playing with what sorts of HTML I could include in a message I managed to get a logo to appear overtop of the site logo via a CSS url() call. Neat thought it was a neat hack personally but now I've got potential clients ("suits") who are concerned about having porn added to their sites.

There is an example in this message, you should be able to see an example image just under the Geeklog logo in most browsers.

It only takes a few minutes of playing with this to see how much stuff you can do with it. (Using position:fixed; can be really annoying)

I was just going to add a bunch of eregi() calls but thought I'd ask around here first for opinions/suggestions/comments on filtering out stuff like this without crippling GeekLog's HTML inclusion facility.

Editors note: here is the example code:

style="position:absolute;top:100px;left:100px;
width:200px;height:101px;z-index:100;
background-image:url('http://www.example.com/someimage.gif');
border:0;margin:0;padding:0;display:block"

--
Lucas Thompson
sardu@mac.com

There are 14 security groups and no explanation.

  • Wednesday, January 29 2003 @ 10:04 am EST
  • Contributed by: Anonymous
  • Views: 4,991
Security What do these security groups do? The GL documentation is useless once you get past the install process. Where is the Admin Documentation?

But most importantly. I have to start using my GL but I am affraid to give rights to any of my different moderators, because I don't know what they enable/disable.

Please point me to an answer.

Geeklog 1.3.7 Security Issues (and update)

  • Monday, January 13 2003 @ 11:20 am EST
  • Contributed by:
  • Views: 8,900
Security

Several security issues have been found in Geeklog (see below for details). We are therefore releasing Geeklog 1.3.7sr1 as well as an upgrade archive. If you are running Geeklog 1.3.7, you can use the upgrade archive to replace just those files that are affected.

The complete Geeklog 1.3.7sr1 tarball includes other fixes, e.g. all URLs in the documentation and the code have now been updated to point to geeklog.net.

Page navigation