[BETA] Stylist: Unprecedented user customization

A place for MOD Authors to post and receive feedback on MODs still in development. No MODs within this forum should be used within a live environment! No new topics are allowed in this forum.
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

IMPORTANT: MOD Development Forum rules

On February 1, 2009 this forum will be set to read only as part of retiring of phpBB2.
Post Reply
hmartin
Registered User
Posts: 118
Joined: Mon Jun 06, 2005 2:49 am
Location: /home/
Contact:

[BETA] Stylist: Unprecedented user customization

Post by hmartin »

MOD Title: Stylist
MOD Description: This MOD makes it simple for users to extensively customize their experience. It does this by allowing each user to create a customized CSS style sheet. This is almost effortless for the user, givng them a simple textbox with which to edit their CSS.
MOD Installation Difficulty: easy
MOD Version: 0.1.0
MOD Download: Stylist_0.1.zip

Peter77sx
Registered User
Posts: 3258
Joined: Wed Nov 09, 2005 2:51 pm

Post by Peter77sx »

So each member has thier own style sheet to work on? that is kind of neat... this may come in handy with the website mod. what is the diffrence with "Default" and "Custom" save?

hmartin
Registered User
Posts: 118
Joined: Mon Jun 06, 2005 2:49 am
Location: /home/
Contact:

Post by hmartin »

Peter77sx wrote: So each member has thier own style sheet to work on? that is kind of neat... this may come in handy with the website mod. what is the diffrence with "Default" and "Custom" save?

Yes, each user gets their own style sheet which they can customize and save. The custom style sheet is created the first time the user goes to use Stylist, and it is originally just a duplicate of the default style sheet. Also, if the user leaves the definitions for a given class undefined the default style will be used.
If the user chooses the Default option, then Stylist won't use their style sheet at all (i.e. the forums will look just like the default style sheet).

ChaosBringer
Registered User
Posts: 412
Joined: Mon Apr 19, 2004 11:30 pm
Contact:

Post by ChaosBringer »

Got a demo?

01000001 01101100 01101100 00100000 01111001 01101111 01110101 01110010 00100000 01100010 01101001 01101110 01100001 01110010 01111001 00100000 01100001 01110010 01100101 00100000 01100010 01100101 01101100 01101111 01101110 01100111 00100000 01110100 01101111 00100000 01110101 01110011 00100001

hmartin
Registered User
Posts: 118
Joined: Mon Jun 06, 2005 2:49 am
Location: /home/
Contact:

Post by hmartin »

ChaosBringer wrote: Got a demo?

Here is a screenshot that shows how it works.
My MODs:
Multiple PM Recipients - Send PMs to multiple users simultaneously
Stylist - Users can modify a forum's appearance by uploading custom CSS files
Download All Attachments As Zip - Download multiple attachments in a single zip file.
Collapsible Categories - Cleanly collapse categories on the index page

User avatar
beggers
Registered User
Posts: 1257
Joined: Fri Nov 23, 2001 8:19 pm
Location: Las Vegas
Contact:

Post by beggers »

I haven't tried this mod yet, but I hope there is some kind of interactive front end that allows users to make simple choices without exposing them to the actual CSS code. I like this idea, though.

Nathan Robinson
Registered User
Posts: 18
Joined: Sat Jul 05, 2003 7:05 am
Location: San Francisco
Contact:

Post by Nathan Robinson »

This is potentially an ingredient to a giant security risk. You can start your search for the various reasons why this is a bad ideas here: http://alistapart.com/articles/secureyourcode

Cheers

hmartin
Registered User
Posts: 118
Joined: Mon Jun 06, 2005 2:49 am
Location: /home/
Contact:

Post by hmartin »

This MOD isn't any greater security risk than phpBB itself (except for, perhaps, that it's less well tested). Other than that, it uses essentially the same process on inputting, storing, and displaying information (in this case CSS) that's done when a user makes a forum post.
My MODs:
Multiple PM Recipients - Send PMs to multiple users simultaneously
Stylist - Users can modify a forum's appearance by uploading custom CSS files
Download All Attachments As Zip - Download multiple attachments in a single zip file.
Collapsible Categories - Cleanly collapse categories on the index page

Nathan Robinson
Registered User
Posts: 18
Joined: Sat Jul 05, 2003 7:05 am
Location: San Francisco
Contact:

Post by Nathan Robinson »

hmartin wrote: This MOD isn't any greater security risk than phpBB itself (except for, perhaps, that it's less well tested). Other than that, it uses essentially the same process on inputting, storing, and displaying information (in this case CSS) that's done when a user makes a forum post.


This is untrue. It is not the same as phpBB, as it allows the uer to create his own css.

There are bugs in browsers, particularly IE, that allows for exploitation, even with CSS. The risks aren't vast, and it isn't as open as allowing people to insert their own HTML, of course, but there are some very interesting exploits which can be utilized through this means.

This is well documented throughout the developer sites on the 'net, particularly those discussing community-building and user customization.

hmartin
Registered User
Posts: 118
Joined: Mon Jun 06, 2005 2:49 am
Location: /home/
Contact:

Post by hmartin »

I'd be interested in see what specifically has been documented as far as exploits go. Remember that a user only sees his custom CSS, so it'd be pointless for an attacker to inject some sort of client-side attack, since he would only be harming himself.
My MODs:
Multiple PM Recipients - Send PMs to multiple users simultaneously
Stylist - Users can modify a forum's appearance by uploading custom CSS files
Download All Attachments As Zip - Download multiple attachments in a single zip file.
Collapsible Categories - Cleanly collapse categories on the index page

FatRat
Registered User
Posts: 78
Joined: Tue Oct 25, 2005 7:17 am

Post by FatRat »

i would like to use a code similar to this, but in a myspace sort of way, where users can have there own page with there own css.

of course, this means other users will see the css file and this is a security threat if it isnt cleaned up properly.

What can i do to prevent the css file containing any malicious code?

hmartin
Registered User
Posts: 118
Joined: Mon Jun 06, 2005 2:49 am
Location: /home/
Contact:

Post by hmartin »

No, one user won't see another user's CSS file.
My MODs:
Multiple PM Recipients - Send PMs to multiple users simultaneously
Stylist - Users can modify a forum's appearance by uploading custom CSS files
Download All Attachments As Zip - Download multiple attachments in a single zip file.
Collapsible Categories - Cleanly collapse categories on the index page

FatRat
Registered User
Posts: 78
Joined: Tue Oct 25, 2005 7:17 am

Post by FatRat »

sorry, i didnt make it clear.

i have used your code as a basis for my code, not used it exactly as you have made it.

but, what i want to know is how to clean up $css before writing it to prevent malicious code.

hmartin
Registered User
Posts: 118
Joined: Mon Jun 06, 2005 2:49 am
Location: /home/
Contact:

Post by hmartin »

I can't support code for your MOD, sorry.
My MODs:
Multiple PM Recipients - Send PMs to multiple users simultaneously
Stylist - Users can modify a forum's appearance by uploading custom CSS files
Download All Attachments As Zip - Download multiple attachments in a single zip file.
Collapsible Categories - Cleanly collapse categories on the index page

Post Reply

Return to “[2.0.x] MODs in Development”