Posts: 25
Threads: 9
Joined: Dec 2022
It was surprisingly painless to install Commentics and import existing comments to the database. Good-quality commenting system.
It is now live on
https://www.finnoytravel.com/. Some layout fine-tuning will be done later but it works already now.
Posts: 2,872
Threads: 59
Joined: Jun 2010
It looks really good! I like how you've simplified the design and how the colours match the white/blue branding of your website.
Also, about your interview, you're absolutely fine to approve comments containing dangerous HTML. Commentics converts everything using
htmlspecialchars, and it also uses
htmLawed to be extra sure. However it only does this on input, not on output, so I was just saying that any imported data needs to be safe.
Further info:
https://commentics.com/faq/general/security
Have
you completed
the interview?
Posts: 25
Threads: 9
Joined: Dec 2022
(29-Dec-2022, 09:13 PM)Steven Wrote: It looks really good! I like how you've simplified the design and how the colours match the white/blue branding of your website.
Also, about your interview, you're absolutely fine to approve comments containing dangerous HTML. Commentics converts everything using htmlspecialchars, and it also uses htmLawed to be extra sure. However it only does this on input, not on output, so I was just saying that any imported data needs to be safe.
Further info: https://commentics.com/faq/general/security
Thanks Steve.
I made a test earlier and I thought I was able to inject alert("Hello") into the page. So I re-tested and got the Hello message again.
I did some debugging and it seems Commentics is working correctly. The problem is in my custom latestComments snippet. It reads comments from the database and uses CMS functions to generate HTML. Somehow, my CMS converts HTML entities back to real characters and the <script> tag start working. I need to fix my own snippet to fix this.
