(Ovid) Re(2): User-updatable web sites

A few things spring to mind here. This is all based on the assumption that users get to write their own HTML.

I would strip all meta tags from their code. Users can play havoc with redirects, such as redirecting to porn sites or worse, having two accounts and having them redirect to each other's page. A browser could be then caught in an infinite loop of redirects.
If they are allowed to create their own HTML, do they get to include images also? If so, you might have a concern about adult content.
Make sure that server side includes are disabled or at least have the "exec" option turned off. Plus, I would probably just strip SSI tags from their input.
This is the big one: however they create their pages, stick them in a database (after validating page size) or, if they are written out to files, make sure that the user CAN NOT pick their file name. Also, don't let their filename be based on the name they input. They could potentially stick a null byte in their username and cause you all sorts of pain.

Any other suggestions from fellow monks?

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

Comment on (Ovid) Re(2): User-updatable web sites

Replies are listed 'Best First'.
Re: (Ovid) Re(2): User-updatable web sites by one4k4 (Hermit) on Mar 26, 2001 at 19:45 UTC
Personally, I would just have a set / static `header.txt & footer.txt` file(s) and have the user modify the content. Thus, if I wanted to change the navigation/banners/layout, as long as I had the new templates written to properly display the included content files, things would propagate seamlessly. Server Side Includes would be a must for this application. Each user would have their index.html file, and all it would consist of would be SSI calls to include: header.txt content.txt footer.txt Its really not that complicated. But takes some getting used to. This way meta tags cant really be used, and I would take into consideration the notes from the node above as well.. I hope this sheds some light on the subject, _14k4 - webmaster@860.org (www.poorheart.com)	[reply] [d/l]
Re: Re: (Ovid) Re(2): User-updatable web sites by Stamp_Guy (Monk) on Mar 27, 2001 at 09:15 UTC
The main issue I have with that is that the user that will be maintaining this site doesn't have a clue about web design nor the desire to learn HTML. I have to make it so they can change individual elements and blocks of text without messing up the layout.	[reply]
Re: Re: Re: (Ovid) Re(2): User-updatable web sites by one4k4 (Hermit) on Mar 27, 2001 at 18:44 UTC
Sure thing. If you had each block of text, or individual element as a seperate included file, it should work out fine. `<!-- #include file="picture.gif --> <!-- #include file="maintext.txt" --> etc..` [download] (Keep in mind I havent used SSI in a bit, thus, my syntax may be off.... Oh well) If you have the user browse for images to update, and can check off which ones they want on the page, and what text goes where, you shouldnt have a problem. You may be able to work something out where they can upload a word doc or excel spreadsheet and have that linked onto the page. We do it with mod_perl and essi here on our intranet. Lots of pdf files. _14k4 - webmaster@860.org (www.poorheart.com)	[reply] [d/l]
Re: Re: Re: Re: (Ovid) Re(2): User-updatable web sites by Stamp_Guy (Monk) on Mar 28, 2001 at 05:28 UTC
Re: (Ovid) Re(2): User-updatable web sites by Stamp_Guy (Monk) on Mar 26, 2001 at 03:32 UTC
I should have been a little more clear about what I meant by user-maintainable web sites. What I meant was that the person I designed the site for would be able to maintain the content of the site. They would not be able to add new pages, name the files, etc. I would design the entire thing and they basically could change any text or graphics that were necessary to update.	[reply]