Register Members List Search Today's Posts Mark Forums Read

Reply
 
Mod Options
PHPSpellchecker for VB2.x! (Beta) Details »
PHPSpellchecker for VB2.x! (Beta)
Mod Version: 1.00, by Raz (Member) Raz is offline
Developer Last Online: Aug 2006 I like it Show Printable Version Email this Page

This modification is in the archives.
vB Version: 2.2.x Rating: (0 vote - 0 average) Installs: 13
Released: 15 Jul 2002 Last Update: Never Downloads: 2
Not Supported Is in Beta Stage  

OK, finally here is the code for the PHPSpellchecker!
If you find any bugs, please post your findings here

Check out the Zip file for more info.

Enjoy!
Raz

Note: You will require PSpell (inc ASpell) installed.

Download Now

Only licensed members can download files, Click Here for more information.

Show Your Support

  • To receive notifications regarding updates -> Click to Mark as Installed.
  • This modification may not be copied, reproduced or published elsewhere without author's permission.
Similar Mod
Mod Developer Type Replies Last Post
[Beta Release] VB2 TranslateIT V1 Dave# vBulletin 2.x Full Releases 3 27 Aug 2001 07:48

  #61  
Old 02 Nov 2002, 20:21
Paul Paul is offline
 
Join Date: Jan 2002
Well, this script needs a couple of security modifications--it's open to XSS vulnerabilities big time.

I don't have time to look at the code right now, but perhaps someone who's more familiar with javascript could take a look at this. Using the word "javascript" in the text of a message you're spell checking will let you run whatever you'd like. This needs to be htmlspecialchars()'d and properly handle the word javascript in a message.
Reply With Quote
  #62  
Old 02 Nov 2002, 20:27
Raz's Avatar
Raz Raz is offline
 
Join Date: Oct 2001
Originally posted by Prince
I deinstalled this hack and gave up on it since Raz does not seem interested in fixing it.
Sorry about that, been busy with other stuff.

The error message means you don't have pspell compiled into PHP.
__________________
~Raz~
Reply With Quote
  #63  
Old 02 Nov 2002, 20:28
Raz's Avatar
Raz Raz is offline
 
Join Date: Oct 2001
Originally posted by LoveShack
Well, this script needs a couple of security modifications--it's open to XSS vulnerabilities big time.

I don't have time to look at the code right now, but perhaps someone who's more familiar with javascript could take a look at this. Using the word "javascript" in the text of a message you're spell checking will let you run whatever you'd like. This needs to be htmlspecialchars()'d and properly handle the word javascript in a message.
Can you give an example?

I can't seem to reproduce what you're saying.

The line "$outtext = htmlentities(stripslashes($checktext));" should prevent what you are experiencing.
__________________
~Raz~

Last edited by Raz; 02 Nov 2002 at 20:31.
Reply With Quote
  #64  
Old 02 Nov 2002, 20:33
Paul Paul is offline
 
Join Date: Jan 2002
Try the following condition:

<misspelt word> javascript </script>

I.e.

d0gzasdf javascript </script>
Reply With Quote
  #65  
Old 02 Nov 2002, 20:37
Raz's Avatar
Raz Raz is offline
 
Join Date: Oct 2001
This is the output I get:
<font face="Verdana, Arial, Helvetica, sans-serif" size="2">d0gzasdf <a href="javascript:submitWord('javascript')" name="word2"><font color=red><b>javascript</b></font></a> &lt;/script&gt;</font></body></html>
Seems harmless.
__________________
~Raz~
Reply With Quote
  #66  
Old 02 Nov 2002, 20:43
Paul Paul is offline
 
Join Date: Jan 2002
Oops. I mixed up examples Appending </script> to the body will cause an error when pressing "Finished Checking" ... to see the javascript issue, remove the </script>.

Try asdfasdf javascript asdfasdf
Reply With Quote
  #67  
Old 02 Nov 2002, 20:45
Raz's Avatar
Raz Raz is offline
 
Join Date: Oct 2001
Yep got some malformed output. But still can't understand how this can be exploited.

The reason its malformed is because it replaces all javascript references, including the ones the spellchecker creates to a link to be corrected.
__________________
~Raz~
Reply With Quote
  #68  
Old 03 Nov 2002, 03:47
Paul Paul is offline
 
Join Date: Jan 2002
Hrmm. I haven't been able to come up with a way to exploit it myself, but seeing as input text is being processed as part of the script, a bunch of red flags go up.

How can we sandbox it?

Any luck with Netscape/Opera?
Reply With Quote
  #69  
Old 03 Nov 2002, 04:30
Paul Paul is offline
 
Join Date: Jan 2002
Just a note on the NS/Opera issue--I have a suspicion that the hidden form being called in spellcheck.php is the problem here--specifically, I think forms are only recognized by NS/Opera within <body></body> tags--since this form is hidden in a frameset page, I believe that's where the problem is arising.

I'll let you know what I find out.
Reply With Quote
  #70  
Old 03 Nov 2002, 05:28
Paul Paul is offline
 
Join Date: Jan 2002
Unfortunately, you can't have <body> and <frameset> tags in the same page. I've been able to confirm that the issue with Netscape and Opera is the <form> code being placed in the frameset in spellcheck.php--this is illegal html. According to w3c specifications, <form> can only be placed within <body> tags.

I don't know enough javascript to get this thing to work -- would it be possible to move the form to the templates instead?
Reply With Quote
  #71  
Old 03 Nov 2002, 22:28
Raz's Avatar
Raz Raz is offline
 
Join Date: Oct 2001
I'm sorry but I don't have the time I used to, to work on this anymore. If anyone else is willing to continue this, feel free.

About the XSS issue, its not. Only [a-z] characters are parsed, so if it has a non alpha character it ignores it.
__________________
~Raz~
Reply With Quote
  #72  
Old 04 Nov 2002, 06:38
Paul Paul is offline
 
Join Date: Jan 2002
Well okay Here's where I'm at with trying to fix this. My intial idea was to move the <form> information out of spellcheck.php and into a third 1 pixel big frame called formcode.php. However, I can't figure out the javascript needed to get the checktext over to the formcode script.

This is something that someone who knows a bit more (anything) about javascript needs to look at Until then, it's a miracle this thing works at all--apparently IE takes W3C standards pretty loosely.
Reply With Quote
  #73  
Old 06 Nov 2002, 06:42
Paul Paul is offline
 
Join Date: Jan 2002
Attached you'll find a version of this spellchecker that works in the latest versions of both Netscape and Internet Explorer. I am by no means an expert in javascript, however with the help of a few kind folks around the 'net and a lot of google groups searching, I managed to come up with something that at the very least, works.

I was not able to get it to work properly in Opera, however I did get a report that it works with Mozilla v1. I have not tested that configuration myself.

It'd be really great if someone could take this and improve upon it to ensure maximum efficiency and compatiblity with W3C standards.

There are no instructions in this zip file. Overwrite your existing spellchecker files (Available on the first post in this thread: http://www.vbulletin.org/forum/showt...580#post272580) with the ones in this zip. No modifications to the templates are needed to upgrade.

To install, make the template changes discussed in Raz's original release.

Regards,
Paul

Edit: I updated the attachment which removes a stripslashes() function from the finished text--not including slashes will cause an error with messages that contain certain characters. check.php was updated.

Edit #2: I made it a bit clearer on where to get the original files from.
Attached Files
File Type: zip phpspellcheckerv3_2-loveshack.zip (3.2 KB, 70 views)

Last edited by LoveShack; 11 Nov 2002 at 01:57.
Reply With Quote
  #74  
Old 26 Nov 2002, 20:02
Harken Harken is offline
 
Join Date: Apr 2002
in the instructions it says to edit templates.. newreply, newthread, ...is it meaning the .php files? because i dont see those templates..
Reply With Quote
  #75  
Old 03 Dec 2002, 16:18
diettalk's Avatar
diettalk diettalk is offline
 
Join Date: Jan 2002
When trying to spell check a post with a full URL in it, the post disappears when you finish checking.
__________________
John
diet support at diettalk.com
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Mod Options

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 16:40.

Layout Options | Width: Wide Color: