Show Likes

This section allows you to view all posts where this member received or gave a like to.

1
Bug reports / [Security] Re: BBCode in SQL Database
CerealGuy « on February 9th, 01:06 PM »
Quote from Nao on February 9th, 11:26 AM
Quote from CerealGuy on February 7th, 11:58 AM
Yup, totally aggree with your points. On the other hand, adding bbcodes via plugins is quite a handy thing. So i won't say the idea is bad, just the way it's done in the moment is not the best.
Maybe do... BOTH?!
- Have the main BBCode in a source file,
- Give plugins the ability to add or replace BBCode,
- Only, plugins can't add code in the database, rather a function name. IIRC plugin files are always loaded so it's easy enough to just put the code in a plugin file and it should get executed.

Or, if it's too much to handle, just do points 2 and 3, because it still means putting the code to be executed into a source file, goddammit.
Yeah, that's probably the most realistic solution..?!
- First thing I want to do is moving all "validate_funcs" to
  Subs-BBC (nearly done with that).
- Next thing is refactoring those functions, making more
  clear what they do (figured out that the do nothing which
  you should describe with the term "validate", most of them
  trim or beautify the content.) and  understanding why the
  hell there are often the same tag twice with nearly the same
  "validate_func". I'm sure it would be enough to have one of
  those function for each tag (which needs this stuff).
https://github.com/C3realGuy/wedge/commit/791bdfa2632190b0c23f570e4bc581de9a7bc2bd#diff-ea931b81508cfb000ca2c54e529ff570R1520
- If this is done I want to look if it's possible to "hardcode" all those
  default bbc tags in a nice function. Something like loadBBCodes(),
  which returns all default bbc tags plus loads all others from sql.
  Have to see how the disable tag stuff is done. Want to add a
  hook here too, so plugins really have all the power over bbcodes
  without the need of modifying the bbc parse code or doing some
  regex stuff on top of it.

It's a bit to do, won't get bored the next days. The Problem is not
the coding, it's understanding what goes on in Subs-BBC :lol:
Quote from Nao on February 9th, 11:26 AM
Well, I've moved Wedge.org and Noisen.com at the same time. Wedge.org was flawless, but Noisen.com is running a heavily customized SMF 2.0 RC, with none of the code fixes to make it run on PHP 7. However, that server can ONLY run one version of PHP (because the admin doesn't want to bother, and it's okay), so I had to manually convert SMF code to PHP 7 *and* my custom code as well, of course... Took at least a day.
If I move my site again, I'll make sure it has PHP 5 as an option. I'd rather use PHP 5 for Noisen, even though it's now working correctly in PHP 7.
Sorry if it was confusing. Wedge was fine.
I'm having Wedge problems with my other new site though, ahah. But again-- server problem. Another server, other problems: this time it's file permissions. The difference is, the admin has been AWOL for 2 months now. Not great...
Didn't play with a pure webspace in years, and i know why :D You just have more control, more power and of course more responsibility. But stuff like let's encrypt (free ssl certificates in case you don't know them), full control about software which is running and the configuration will always let me choose an vps/kvm/whatever over a webspace.
Quote from Nao on February 9th, 11:26 AM
Quote
PS: It feels good to see wedge back under active developement:D
Yeah, me too. And thank you for being the only developer who still believes in it.:)

Although I never felt back about leaving it -- I just considered it finished. What I'm doing is maintenance work, plus extra minor features from time to time because, well, it's fun?
My game development plans were set aside due to the state of the market. Purely from a business point of view, there just isn't enough visibility for a new game, and for now I don't want to rely on my 'Kyodai' brand name to attain more recognition. So I just focus on selling that old game and building that game trading site. (Which for now is just a game trade matching site. Supposed to be unveiled today, except the site isn't working due to aforementioned permissions ahah.)
Wedge is quite finished. It's totally usable, I only tweak stuff which I don't like how it behaves. For example the WYSIWG Editor. It's fully working, but awful :D Will be the next thing i want to look at. And some features I see around other forum softwares which i like. For example mark quotes. So you mark a part of post and you can only quote this part. Really like this idea, have to see how i can implement that. Maybe stuff for a plugin.

Besides that, i said it already in parts here and there, wedge is in my opinion the only good forum software around.
It's nearly perfect with balancing out pure html/css functions and extra js. It has many js stuff which makes it feel modern and dynamic without making it unusable on browsers without js. I mean solutions like nodebb they won't work in a browser without js. Those "in browser apps" are cool for sure, but not for a forum software (in my opinion). They are slow, make problems with search engines, are unusable with noscript. But forums should be accessable by as many people as possible and shouldn't make problems.
The next thing is mobile/responsive design. A lot of forum softwares aren't able to this. Xenforo just looks really really bad on a smartphone. They didn't understand this *less thing which wedge does. Less padding and style elements is more on a mobile screen. You wan't to use as much of the screen as possible to show content without confusing the user. Xenforo also didn't do this js thing well. It's just bloated with js even if it's more of traditional "non ajax" solution compared to nodebb. I hate it to surf on any xenforo forum. Only thing which is maybe worse is an old vbulletin forum. I just always fear to lose my account's email and password to some hackers :D
Wedge feels lightweight, it loads super fast on the browser. It looks modern, has a special touch to it which you will recognize. And it has a lot of really good ideas implemented. Besides that, it's super stable. I think we use wedge on our forum since 3 years. Never had a serious problem with the forum software. Not even a small one.

But still there are problems with wedge.
- PHP is just not modern anymore. In fact, it's a bit dying.
  I'm not sure about that, but for example websockets aren't
  supported yet in php. Which could be a nice thing to have,
  also for wedge. Especially for notifications. Wedge is maybe
  the last and best php Forum Software.
- Besides the PHP thing, the codebase is old and unmaintained.
  No unit tests, no coding style standards. You also don't want to
  touch that code, risks are too high to break a thing and don't even
  notice it. Not a big of a problem, there aren't too many who use wedge
  anyway :D 
- No documentation, no helper/"framework like" functions to make life
  easier for plugin developers. As a plugin developer you write so many
  functions again, which are maybe already implemented in the wedge
  core and you just could reuse. But you don't know of them and never will.
- In general you can make wedge do everything you want, but it's often not
  a nice way. It's more like forging it with a flamethrower.
- Some standard functions are just not as good as they should. For example
  the editor. Color chaning is bad, you can't asign a choosen color to another
  marked text without first changing it's color to something else and than to
  the color you want. Makes no fun.
  Or Private Messages. It's this old private messaging system you know from
  Bulletin Boards. It's just old and feels bad to use. It's a bit like emails and this
  is already bad. In fact i would always prefer to write you a message on any
  instant messanger instead of using wedge.

Wow this is more of an essay and totally off topic. But who cares.
2
Bug reports / [Security] Re: BBCode in SQL Database
CerealGuy « on February 7th, 11:58 AM »
Yup, totally aggree with your points. On the other hand, adding bbcodes via plugins is quite a handy thing. So i won't say the idea is bad, just the way it's done in the moment is not the best. Also this validate thing i really don't like. The name suspects a very limited function, even if it's not. Have to think of something for this.
I will give it a try and see what i can do. I'm ill in the moment (EB Virus is quite a nasty one) so I have some time.

OT:
Quote from Nao on February 7th, 12:58 AM
PS: I just have no time to look into this right now. I'm pretty busy with the new site. Plus I may be moving servers again in the future-- this one is so blazing fast, I love it, but there are so many configuration issues, it gives me nightmares... -_-
What kind of a server are you using that the configuration issues give you nightmares :hmm:

PS: It feels good to see wedge back under active developement :D
3
Plugins / [Plugin] Advanced Home Topics
CerealGuy « on January 15th, 02:06 PM »
Advanced Home Topics

A plugin for wedge giving you more control over the topics block you can add to you Homepage->Custom Content.
Features:
  - Multiple working `topics` blocks
  - Change title of each `topics` block
  - Limit include boards
  - Limit exclude boards
  - Modify steps in which n increases
 
Can you give me an Example?
Sure, look here:


How to install?

Drop the `advanced-home-topics` folder which you can find in this repository in to your `<wedge_install>/plugins` folder and activate it over your Admin Control Panel.

How to configure?

1. Go to `Admin->Configuration->General Options->Homepage`
2. Modify `Custom Contents`
3. Add something like `topics:1|Some Special Posts|3;4||false|1;2;3;4;5;6;7`
4. Format looks like this `topics:<num posts to show by default>|<custom name, empty for default>|<include these boards, empty for all, divide with ;>|<exclude these boards, empty for none, divide with ;>|<set to true if you want to hide Boards>|<steps in which we shall increase. By default 5;10;20;50;100. Divide with ;>`

Where to find?
https://github.com/C3realGuy/AdvancedHomeTopics
4
Archived fixes / [LOW-SQLi] Possible SQL injection on ssi_recentTopics
CerealGuy « on January 14th, 12:31 PM »
ssi_recentTopics() is not filtering the $num_recent argument correctly.
Code: [Select]
// Find all the posts in distinct topics. Newer ones will have higher IDs.
$request = wesql::query('
SELECT
t.id_topic, b.id_board, b.name AS board_name, b.url
FROM {db_prefix}topics AS t
INNER JOIN {db_prefix}messages AS ml ON (ml.id_msg = t.id_last_msg)
LEFT JOIN {db_prefix}boards AS b ON (b.id_board = t.id_board)
WHERE {query_see_topic}
AND t.id_last_msg >= {int:min_message_id}' . (empty($exclude_boards) ? '' : '
AND b.id_board NOT IN ({array_int:exclude_boards})') . '' . (empty($include_boards) ? '' : '
AND b.id_board IN ({array_int:include_boards})') . '
AND {query_wanna_see_board}' . (empty(we::$user['can_skip_approval']) ? '
AND ml.approved = {int:is_approved}' : '') . '
ORDER BY t.id_last_msg DESC
LIMIT ' . $num_recent,
array(
'include_boards' => empty($include_boards) ? '' : $include_boards,
'exclude_boards' => empty($exclude_boards) ? '' : $exclude_boards,
'min_message_id' => $settings['maxMsgID'] - 35 * $num_recent,
'is_approved' => 1,
)
);

The dangerous part: 'LIMIT ' . $num_recent,'
You can exploit it through custom homepage contents over acp. (Adding something like 'topics:10 UNION SELECT...'). But you need permissions to acp. And even if you have them, the anti hacking protection of wedge looks quite nice. No multiple statemants, it detects weird behaviour couldn't really exploit it besides an more or less useless blind sqli which just worked once :lol:.
But still, better fix it.

How to fix:
Code: [Select]

// Find all the posts in distinct topics. Newer ones will have higher IDs.
$request = wesql::query('
SELECT
t.id_topic, b.id_board, b.name AS board_name, b.url
FROM {db_prefix}topics AS t
INNER JOIN {db_prefix}messages AS ml ON (ml.id_msg = t.id_last_msg)
LEFT JOIN {db_prefix}boards AS b ON (b.id_board = t.id_board)
WHERE {query_see_topic}
AND t.id_last_msg >= {int:min_message_id}' . (empty($exclude_boards) ? '' : '
AND b.id_board NOT IN ({array_int:exclude_boards})') . '' . (empty($include_boards) ? '' : '
AND b.id_board IN ({array_int:include_boards})') . '
AND {query_wanna_see_board}' . (empty(we::$user['can_skip_approval']) ? '
AND ml.approved = {int:is_approved}' : '') . '
ORDER BY t.id_last_msg DESC
LIMIT {int:num_recent}',
array(
'num_recent' => $num_recent,
'include_boards' => empty($include_boards) ? '' : $include_boards,
'exclude_boards' => empty($exclude_boards) ? '' : $exclude_boards,
'min_message_id' => $settings['maxMsgID'] - 35 * $num_recent,
'is_approved' => 1,
)
);

PR: https://github.com/Wedge/wedge/pull/43

Many limit arguments don't get passed parameterized in SSI.php. We should change that.

EDIT1: WTF. This is nearly the same in the SMF codebase. Do I miss something or is this just really bad practice? I mean, i don't know if they have a hacking protection like wedge, but if they don't...
Besides that it looks like they fixed it sometimes and sometimes not :whistle:
https://github.com/SimpleMachines/SMF2.1/blob/release-2.1/SSI.php#L518

EDIT2: Fixed other limits too. https://github.com/Wedge/wedge/pull/44
5
Archived fixes / Re: Low flood/spam limits are ignored
CerealGuy « on October 24th, 2016, 10:50 PM »
Looks fine and works how it should. Thanks :)
6
Support / Re: I want a wedge support 5.2 PHP IS it Possible
CerealGuy « on September 22nd, 2016, 06:32 PM »
Why do you want support for an old php version? XY Problem?

http://mywiki.wooledge.org/XyProblem

So, what do you REALLY want to do? :D
7
Off-topic / Re: How did I miss that..?
CerealGuy « on September 14th, 2015, 01:15 AM »
Umm... don't know exactly what to say except of THANKS A LOT!
Didn't even know that there's something like a private board :D
8
Off-topic / Re: A+
CerealGuy « on September 13th, 2015, 05:26 PM »
Quote
I believe we got rid of all the 'bad' seed over time... What do you think remained that should have been eliminated..? I mean, SMF was not all that bad. It sucks when compared to Wedge in 2015, but it doesn't mean it was bad back in 2010.
What I think is missing are some functions which make it easier to develop plugins faster.
And extending wedge is such a great thing with endless possibilities, but sometimes you just don't know what's the right way.
Small example, extending the menu:
You need to add css for the icon, which is okay when you do something special, but just a normal icon shouldn't need that.
Or integrating your own bbc tag handler, a small callback thing would be awesome for more complex stuff (directly into plugin-info.xml). You could link that directly with extending the bbc post buttons.
Or to name admin interface design, admin-page offers a good basis, but when you need some more complex stuff it get's tricky and you need to do everything manually (or at least i didn't find a better way). Adding a way to call own code would make this a lot easier.

Tl;dr: Better and more efficient tools for plugin developers. Maybe something for Wedge 2.0? :D
9
Support / Re: Help installing Wedge
CerealGuy « on September 12th, 2015, 12:32 AM »
Normally LAMP should be enough, have a look into your error files, they should give you a hint about what's wrong.
10
Support / Re: Create a static page for Imprint
CerealGuy « on September 10th, 2015, 02:55 PM »
This is working, only problem is, that i don't know how to set the page title yet.
Setting $context['page_title'] or $context['page_title_html_safe'] should work but doesn't...

Code: [Select]
<?php

function template_custom_main(){
  echo
'
                        <span class="clear upperframe"><span></span></span>
                        <div class="roundframe"><div class="innerframe">'
;
                        echo
'
                        <div class="cat_bar">
                        <h3 class="catbg">Hello everyone</h3>
                        </div>
                    <p>This is a custom page example. pretty cool, huh.</p>'
;
                        echo
'
                   </div></div>
                  <span class="lowerframe"><span></span></span>'
;
}
//Path to SSI.php
require(dirname(__FILE__) . '/core/SSI.php');

[
s]$context['page_title'] = "Custom Page";[/s]

//Load (template_)custom_main
wetem::load('custom_main');

//Display theme stuff
wetem::render();

EDIT: Got it working:

Code: [Select]
<?php

function template_custom_main(){
  echo
'
                        <span class="clear upperframe"><span></span></span>
                        <div class="roundframe"><div class="innerframe">'
;
                        echo
'
                        <div class="cat_bar">
                        <h3 class="catbg">Hello everyone</h3>
                        </div>
                    <p>This is a custom page example. pretty cool, huh.</p>'
;
                        echo
'
                   </div></div>
                  <span class="lowerframe"><span></span></span>'
;
}
//Path to SSI.php
require(dirname(__FILE__) . '/core/SSI.php');

//Load (template_)custom_main
wetem::load('custom_main');

//Page title. This will appear in the browser
$context['page_title_html_safe'] = "Custom Page";

//Display theme stuff
wetem::render();