MyBB Community Forums

MyBB Community Forums > Extensions > Plugins > Plugin Support > [split] DVZ Secure Content 1.1.5
Full Version: [split] DVZ Secure Content 1.1.5
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

canadacommunity

2020-04-17, 03:23 AM
(2020-04-16, 11:53 PM)Omar G. Wrote: [ -> ]Maybe the plugin can block parsing of content if this contains http: within it (specially just links)? Just an idea.


Yes that would be perfect by chance would you happen to know how to do this trick?

rfssjz

2020-04-17, 06:59 PM
(2020-04-17, 03:23 AM)canadacommunity Wrote: [ -> ]
(2020-04-16, 11:53 PM)Omar G. Wrote: [ -> ]Maybe the plugin can block parsing of content if this contains http: within it (specially just links)? Just an idea.


Yes that would be perfect by chance would you happen to know how to do this trick?
I'm also wondering about this.

Omar G.

2020-04-18, 03:11 AM
Hi, I did split the thread because I don't want to hijack @Devilshakerz's thread.

To begin with, if you ask me the best approach should be to update the core regexes to only match urls that begin with https://.

But regex isn't my forte, so I will post a quick solution that I think should work and probably somebody else can provide a better response.

Find the following:
https://github.com/mybb/mybb/blob/featur....php#L1100
		if(!preg_match("#^[a-z0-9]+://#i", $url))
		{
			$url = "http://".$url;
		}

Change to:
		if(!preg_match("#^(?:http(s):\/\/)#i", $url))
		{
			$url = "https://".$url;
		}

This should force all urls to have https:// if they don't.

But this would probably break content. The following could* be better:
		if(preg_match("#(?:http:\/\/)#i", $url))
		{
			$url = str_replace('http://', '//', $url); // will replace http:// to //
		}
		elseif(!preg_match("#^(?:http(s):\/\/)#i", $url))
		{
			$url = "//".$url; // will add // instead of https:// (because sites might not have a certificate, I suppose it  would be problematic to force invalid secure calls)
		}

* Better considering I'm just reading about the topic, I will be reading about mixed content, maybe you should too:
https://developers.google.com/web/fundam...ed-content

Devilshakerz

2020-04-18, 03:40 PM
Do you mean "breaking" rejected http:// images to output the original [img]http://...[/img] code? Is that better (and less confusing) than converting them into links?

(2020-04-18, 03:11 AM)Omar G. Wrote: [ -> ]
			$url = "//".$url; // will add // instead of https:// (because sites might not have a certificate, I suppose it  would be problematic to force invalid secure calls)
		}

The // part makes the protocol relative to the page it's displayed in - if a forum is on HTTPS, resources beginning with // would be loaded over https://, regardless of support on the external server.

canadacommunity

2020-04-19, 05:04 AM
Devilshakerz & Omar G   I never got notified of the split post is it supposed to notify me by email?  If not i am extremely lucky to have found this by searching in this section or else i would of never known that this problem is being discussed. 

Anyways I love your plugin by the way as it  really helps secure the ssl within the mybb forum, unforrtunitly the other day i came across a post on my forum that a member created and in his post he had posted a link not an image   http. //  domain. com ....on top inside the search browser I was getting a half lock notifying me that the page was insecure. 

So my question is what would I have to do as a trick in order to replace links that are http to https within posts? I do not know if your plugin can do the same for urls as it does for images or perhaps adding it within the plugin would be awesome!
MyBB Community Forums > Extensions > Plugins > Plugin Support > [split] DVZ Secure Content 1.1.5