Client Notice Manager

[wormsunited]

Hi there to all.

I need to make a few changes in the client notice manager for my hosting users, by checking some of the forum searches i found a post that provided me the location of the file, now i need to make it html and not just plain text, does anyone knows how? I paste there the code, any help will be much appreciated. 

Client Notice Manager:

Code:

<?php

class ui_tpl_notice {

   public static function Template() {
       $user_array = ctrl_users::GetUserDetail();
       global $zdbh;
       $result = $zdbh->query("SELECT ac_notice_tx FROM x_accounts WHERE ac_id_pk = " . $user_array['resellerid'] . "")->Fetch();
       if ($result) {
           if ($result['ac_notice_tx'] <> "")
               return ui_sysmessage::shout(
                   runtime_xss::xssClean($result['ac_notice_tx']),
                   'notice',
                   'Notice:',
                   true
               );
           return false;
       } else {
           return false;
       }
   }

}

?>

[Ron-e]

http://forums.sentora.org/showthread.php...1#pid12941

[TGates]

SECURITY NOTICE: By disabling the check mentioned in the link, you may be vulnerable to malicious XSS and other possible security risks. Use at your own risk!

[wormsunited]

Thanks to you all, it really works and i managed to protect myself using some of my own php scripts

Huge thanks to the community and special thanks to: @TGates and @Ron-e

[Ron-e]

Thanks to you all, it really works and i managed to protect myself using some of my own php scripts

Can you post the solution you found, maybe other like to use it also or can work upon it.

[wormsunited]

I am so sorry for my delay folks.
Here is the code i used, made my edits and then i changed back, instructions provided in the comments (fully commented)

PHP Code:

<?php

/**
 * @copyright 2014-2015 Sentora Project (http://www.sentora.org/) 
 * Sentora is a GPL fork of the ZPanel Project whose original header follows:
 *
 * Generic template place holder class.
 * @package zpanelx
 * @subpackage dryden -> ui -> tpl
 * @version 1.1.0
 * @author Bobby Allen (ballen@bobbyallen.me)
 * @copyright ZPanel Project (http://www.zpanelcp.com/)
 * @link http://www.zpanelcp.com/
 * @license GPL (http://www.gnu.org/licenses/gpl.html)
 *
 *
 * File location: /etc/sentora/panel/dryden/ui/tpl/notice.class.php
 * Edited by wormsunited = Help Sentora, donate now (http://sentora.org/donate)
 * Remove the code on line 34 of this code
 * CODE: runtime_xss::xssClean($result['ac_notice_tx'] = To plain text
 * CODE: ($result['ac_notice_tx']                      = For HTML tags
 * 
 * ATTENTION: USE AT YOUR OWN RISK
 *
 */
class ui_tpl_notice {

    public static function Template() {
        $user_array = ctrl_users::GetUserDetail();
        global $zdbh;
        $result = $zdbh->query("SELECT ac_notice_tx FROM x_accounts WHERE ac_id_pk = " . $user_array['resellerid'] . "")->Fetch();
        if ($result) {
            if ($result['ac_notice_tx'] <> "")
                return ui_sysmessage::shout(
                    ($result['ac_notice_tx']),
                    'notice',
                    // YOU CAN ADD LINKS AND MORE HERE TOO
                    'Visit my website: <a href="http://google.com" target="_blank">Click here</a>',
                    true
                );
            return false;
        } else {
            return false;
        }
    }

}

?>

I hope this can help the community

[TGates]

  That's exactly what I had done. There is still no protection for XSS and harmful javascript. Need to add something like HTMLPurifier to clean/control the input.

[wormsunited]

Cant agree more, you are right! If we need to add extra protection we need to create a new module for it, and make it accessible only by Admin or Reselers in Sentora Module Admin.

I am working on this module tho...

[TGates]

Cool, check into adding HTMLpurifier. I was doing the same thing but time has been limited. It should be very easy to do.
I have successfully added it to other projects.