inherit
Official Code Helper
65613
0
1
Oct 22, 2024 1:56:19 GMT -8
Chris
"'Oops' is the sound we make when we improve"
9,018
December 2005
horace
RedBassett's Mini-Profile
|
Post by Chris on Feb 3, 2017 22:43:28 GMT -8
Add this to the javascript for that upload page <script>
$(function(){
var tmpl = '<div style="position:absolute;top:62px;width:90%;"><label style="color:#fff;">URL:<input style="display:block;width:100%;" value="{fileurl}"></label><label style="color:#fff;">BBCode:<input style="display:block;width:100%;" value="{bbcode}"></label></div>'
$("#upload").on('fileuploaddone', function(){
$("#drop").next().find("p").each(function(i,p){
var filename = $('<span>'+this.innerHTML+'</span>').find("i").remove().end().text();
var imgURL = 'http://www.awakeningwebsite.com/uploads/' + filename;
$(tmpl.replace(/\{fileurl\}/g,imgURL).replace(/\{bbcode\}/gi, "[img" + "]"+imgURL+"[/img"+"]")).appendTo($(p).parent().css({'min-height':'122px'}));
})
})
})
</script>and it should give you this:  Note: the above code has no provision for handling error conditions such as upload failure (size, type, etc.) |
|
Former Member
inherit
guest@proboards.com
225992
0
Nov 27, 2024 2:19:21 GMT -8
Former Member
0
January 1970
Former Member
|
Post by Former Member on Feb 4, 2017 9:11:24 GMT -8
You really need to be careful with scripts like this.
It doesn't represent the whole picture(no pun intended) and it is quite unsafe to just blindly let people upload stuff to your server.
Any image/video might have malicious code embedded in them.
Without getting to technical before you move the files to your server, you need to read them in binary format, making sure the file headers and data chunk sizes match, you would also need to read everything as a string and search for keywords like (html|script|javascript) making sure those are not present.
If those are present, then the file has been tampered with and may contain malicious code.
You also need to have a file size limit setup, not forgetting a Captcha and CSRF token.
Again, those are lot more involved than the code you are using right now, but vital if you want to secure your server.
Options:
You could use a framework that has those guards in place(laravel|Codeigniter).
|
|
Former Member
inherit
guest@proboards.com
225992
0
Nov 27, 2024 2:19:21 GMT -8
Former Member
0
January 1970
Former Member
|
Post by Former Member on Feb 4, 2017 16:43:32 GMT -8
Honestly If you don't know how to code, then let a framework do most of the heavy lifting for you. I would try Codeigniter as it's probably the easiest to learn and has decent documentation. Laravel is a little more advanced, so avoid it for now.
No because the code is embedded, gif(s) for example can have malicious code embedded in the middle of the file, png(s) can only have malicious code at the end of the file(because the data chunks need to be in order)
Each file has a file header describing the file format. So each file usually has a file signature at the start of the file header, in the case of a png, it has an 8byte signature as its header(which tells its mime type).
and has a set of chunks that contain 16bytes each, so you would read the last 16 bytes and make sure it follows the chunk structure, the first 4bytes of which are an ascii string with the chunk/flag name
So let a framework do it for you.
Having said that, I don't know alot of frameworks that test my way, but that's how I would do it
|
|
