Hi KK,

On my contact page, I have a problem with CouchCMS's XSS protection:

Within the editable region <cms:editable name='contact_maincontent' type='richtext'> there is the following line,

Code: Select all

E-Mail: <script src="js/spamprotect.js" type="text/javascript"></script>

This is changed by CouchCMS's XSS protection to

Code: Select all

E-Mail: <script src="js/spamprotect.js" type="text/jaxxxvascxxxript"></script>

Is there any possibility to keep my antispam script without unwanted changes?

Thanks for any hints!

Solaris

[KK]

Hi,

We can turn off XSS sanitization completely by using editable region of type 'textarea' and setting its 'no_xss_check' parameter to '1'.

The above mentioned approach is actually meant for situations where the client would like to input complete scripts (like adsense etc.) into the editable region.
For your case, however, I'd recommend using Couch's native 'cloak_email' (http://www.couchcms.com/docs/tags-refer ... email.html) tag directly within the template.

You can use an editable region of type 'text' for the client to input his email address and then while displaying back the value, cloak it using 'cloak_email'
e.g

Code: Select all

<cms:cloak_email my_email />

where 'my_email' ihe editable region containg plain-text email address.

Hope this helps.

[cheesypoof]

The 'mailto' shortcode at http://www.couchcms.com/docs/miscellaneous/shortcodes.html would work too.

[KK]

@cheesypoof
The shortcode can also be modified easily to output the

<script src="js/spamprotect.js" type="text/javascript"></script>

in the original problem, if @solaris does not want to use Couch's method of obfuscating email.

Hi guys, thanks a lot for your input, but it seems I'm a bit slow on the uptake tonight...

I tried KK's hint towards
http://www.couchcms.com/docs/tags-reference/cloak_email.html
and changed

Code: Select all

E-Mail: <script src="js/spamprotection.js" type="text/javascript"></script>

to

Code: Select all

E-Mail: <cms:cloak_email 'my_address@my_domain.com' />

and also tried

Code: Select all

E-Mail: <cms:cloak_email email='my_address@my_domain.com' />

(both versions are given on the page cited above, don't know which one is correct)

but to no avail, unfortunately...

I changed the template as shown above, reloaded contact.php, but it still shows the old code:

Code: Select all

E-Mail: <script src="js/spamprotect.js" type="text/jaxxxvascxxxript"></script>

Also cleared the cache, but still no change...

What am I doing wrong?

As to cheesypoof's suggestion (shortcodes) and KK's reply, I unfortunately don't know how to apply it.

More details will be very much appreciated, thanks!

Ok, the fact that I got the same XSS protection after trying your suggestions showed me that the reload hadn't worked, so I deleted this data set in the database and, voilà, it worked!

I used the code given in the first example:

Code: Select all

E-Mail: <cms:cloak_email 'my_address@my_domain.com' />

I had expected that, after changing the code in the contact.php template, deleting the cache and reloading my contact.php in XAMPP, the old code would have disappeared, but that wasn't the case. Only after deleting the contact data set the reload lead to the expected change.
Is this the usual way, or am I doing sth wrong?

I am a CMS noob, so do have some patience, please

Just out of curiosity and in order to get more proficiency in using this CMS - how do I proceed to achieve my original code as output, i.e.

Code: Select all

E-Mail: <script src="js/spamprotection.js" type="text/javascript"></script>

Cheers, Solaris

Having succeeded the easy way with

Code: Select all

E-Mail: <cms:cloak_email 'my_address@my_domain.com' />

I then tried to use the shortcode method by proceeding like this:
Put a file called kfunctions.php in the root directory and used this code:

Code: Select all

<?php
// Obfuscate email
   // Usage: [mailto]email@mydomain.com[/mailto]
   $FUNCS->register_shortcode( 'mailto', 'mailto_handler' );
   function mailto_handler( $params, $content=null ){
      global $FUNCS;

      // Create Couch script.. we'll use the 'cloak_email' tag to encrypt email
      $html = "<cms:cloak_email email='{$content}' />";

      // Pass on the code to Couch for execution using the 'embed' function
      return $FUNCS->embed( $html, $is_code=1 );
   }
   

Then used the following code in my contact template:

Code: Select all

E-Mail: <cms:show [mailto]my_address@my_domain.com[/mailto] />

I got this error code:

Code: Select all

ERROR! ATTRIB_NAME: Invalid char "[" (line: 94 char: 3847)

Guess I did it the wrong way...

Any help will be much appreciated.

Thanks
Solaris

[cheesypoof]

Hi Solaris, there really are a few different issues here.

When one writes html code into a richtext region, it is interpreted as text to be displayed instead of code to be run. For this code to be interpreted as you intended, you need to toggle the 'Source' button and then write the code, otherwise as you have experienced certain characters such as '<' are converted to their corresponding html entity: '&lt;'. Similarly if you were to post a 'cms:tag' directly into the richtext region, it would be treated in the same way as an html tag, where its characters are converted to html entities.

The reason why you had to delete the data first before the code functioned is because certain characters had already been converted to html entities, one way to check where you are at is to toggle the 'Source' button.

For you to be able to use javascript or a 'cms:tag' in an editable region, as KK said it MUST be of type 'textarea' and have 'no_xss_check' set to '1'. One way of avoiding these aforementioned requirements and being able to use the 'richtext' region is to use shortcodes.

The correct usage is as follows:

Code: Select all

E-Mail: [mailto]my_address@my_domain.com[/mailto]

Also in the php file, make sure to wrap the editable region in a 'do_shortcodes' tag as so:

Code: Select all

<cms:do_shortcodes><cms:editable name='contact_maincontent' type='richtext'></cms:do_shortcodes>

This way Couch knows that it should look for shortcodes in this region.

If you wanted to use a shortcode for your script tag, you could do it like this:

Code: Select all

$FUNCS->register_shortcode( 'spamprotection', 'spamprotection_handler' );
function spamprotection_handler( $params, $content=null ){
return '<script src="js/spamprotection.js" type="text/javascript"></script>';
}

Code: Select all

E-Mail: [spamprotection]

Thanks a lot for your detailed explanations, cheesypoof!
I am sure they are going to help me understand the different methods.
It's very late here so I'm going to try it out tomorrow, but I can already see a few points where I obviously didn't understand the shortcode tutorial the right way. So thanks again for your valuable help!
I am looking forward to trying it all out tomorrow.

Cheers
Solaris

@cheesypoof, @KK:
I must admit that, in spite of your kind help, it took me a huge amount of trial and error to find the correct way of implementing some of the methods hinted at above.

Once you've got the hang of it, it seems so terribly easy, but without any complete examples of how to combine and, above all, where exactly to place these little code snippets, it's extremely time consuming for the beginner.

Thanks to your help and with a lot of trial and error I managed to implement the 2 solutions where a fixed mail address is included and 1 solution to include the antispam script as required in my OP.

What I still haven't achieved is to do what KK suggested in his first reply above, i.e.

You can use an editable region of type 'text' for the client to input his email address and then while displaying back the value, cloak it using 'cloak_email'
e.g

Code: Select all

<cms:cloak_email my_email />

where 'my_email' ihe editable region containg plain-text email address.

Problem is I still don't know how to combine the editable region and the cloak:tag (nor the show:tag, BTW), which is mentioned several times in the tutorials, but never shown as a complete thing.

Here is what I tried:

(1) no success

Code: Select all

<p><cms:editable name='my_email' label='Mail Address' desc='Enter mail address here, please!' hidden='1' no_xss_check='1' type='text' />
E-Mail: <cms:cloak_email my_email /></p>

(2) no success

Code: Select all

<p><cms:editable name='my_email' label='Mail Address' desc='Please change mail address here, if necessary' hidden='1' no_xss_check='1' type='text'>here I put my mail address</cms:editable>
E-Mail: <cms:cloak_email my_email /></p>

(3) only partial success
(3a)

Code: Select all

<p>E-Mail: <cms:do_shortcodes><cms:editable name='my_mail_address' type='text'>[mailto]here I put my mail address[/mailto]</cms:editable></cms:do_shortcodes></p>

(3b)
used above code in combination with file called kfunctions.php in root:

Code: Select all

<?php
// Obfuscate email
   // Usage: [mailto]email@mydomain.com[/mailto]
   $FUNCS->register_shortcode( 'mailto', 'mailto_handler' );
   function mailto_handler( $params, $content=null ){
      global $FUNCS;

      // Create Couch script.. we'll use the 'cloak_email' tag to encrypt email
      $html = "<cms:cloak_email email='{$content}' />";

      // Pass on the code to Couch for execution using the 'embed' function
      return $FUNCS->embed( $html, $is_code=1 );
   }

Trial #3 seemed to work at first sight, displaying an editable region of the text type in the admin panel with my mail address already included, and the correct address on the web page.
B U T:
After changing the mail address in the admin panel and clicking on the "save" button, the mail address doesn't change accordingly on the web page, but now there appears the obfuscated mail code instead of the changed mail address.

Further help will be very much appreciated!

Thanks

Solaris