1 (edited by User33 2008-11-25 14:11)

Topic: [Release] Meta Tags Administration

I have noticed some forum members are into SEO, so I decided to make this pretty simple extension that allows you to edit some meta tags relevant to SEO.

You can modify the meta tags on Administration » Settings » Setup

Download Link: http://punbb.informer.com/unofficial/pu … _admin.zip

If you find any bugs or have any tips, please post them here.

Updates

  • 1.1 (current): Applied some fixes. Thanks to parpalak.

  • 1.0: First release

Re: [Release] Meta Tags Administration

Hi Garciat i will try it and post my impression!
Thanks

3

Re: [Release] Meta Tags Administration

Suomeksi käännetty versio Ei testattu

Sorry, only in Finnish, not needed in English smile
Vain suomeksi, englantia ei tarvitse tässä smile
--------------------------------------------------------
Miten voit asentaa kielipaketin:
1. Avaa "lang" lisäosasi kansiosta.
2. Luo uusi kansio "Finnish" (ilman lainausmerkkejä).
3. Avaa Muistio ja kirjoita sisällöksi seuraava:

<?php
// Meta tags administration      Metatagien ylläpito
// Finnish langpack                 Suomenkielinen kielitiedosto
// By: Olli                             Tekijä: Olli
// Email: ollinpostit@gmail.com  Sähköposti: ollinpostit@gmail.com

if (!defined('FORUM')) die();

$lang_meta_admin = array(
    'Setup'                        => 'Mukauta metatageja',
    'Setup description legend'    => 'Muokkaa metakuvaus -tagia',
    'Setup keywords legend'        => 'Muokkaa meta -hakusanat -tagia',
    'Setup robots legend'        => 'Muokkaa meta -robotit -tagia',
    
    'Warn'                        => 'Älä käytä mitään HTML, BBCode tai muita tarpeettomia merkkejä (lainausmerkkejä jne.). Vieraile <a href="http://searchenginewatch.com/2167931">täällä</a> saadaksesi apua näihin metatageihin.',
    
    'Description'                => 'Metakuvaus -tagi',
    'Description help'            => 'Jos tämä on tyhjä, oletus-metakuvaus-tagia käytetään.',
    'Description hide'            => 'Piilota metakuvaus -tagi',
    'Description hide help'        => 'Jos rastitettu, metakuvaustagia ei näytetä.',
    'Description vt'            => 'Ensimmäisen viestin metakuvaus -tagi',
    'Description vt help'        => 'Jos rastitettu, jokaisen aiheen metakuvaustagina käytetään ensimmäisiä 160 merkkiä ensimmäisestä viestistä.',
    
    'Keywords'                    => 'Meta -hakusanat -tagi',
    'Keywords help'                => 'Erottele jokainen hakusana pilkulla (ei välilyöntiä).',
    
    'Robots'                    => 'Meta -robotit -tagi',
    'Robots help'                => 'Erottele jokainen muuttuja pilkulla ja välilyönnillä.',
)

?>

4. Valitse "Tiedosto" -valikosta "Tallenna nimellä...".
5. Etsi äsken luomasi Finnish-kansio.
6. Kirjoita tiedostonimeksi "meta_admin.php" (ilman lainausmerkkejä).
7. Valitse tallennusmuodoksi "Kaikki tiedostot".
8. Paina "Tallenna".
9. Nyt sinulla on suomenkielinen kielitiedosto.

4 (edited by User33 2008-11-14 15:00)

Re: [Release] Meta Tags Administration

Thanks for the translation smile

Re: [Release] Meta Tags Administration

Thank you Garciat.
I'll test it smile

6 (edited by User33 2008-11-15 03:29)

Re: [Release] Meta Tags Administration

If you want more functions or have any tips, let me know.

7 (edited by PHPLizardo 2008-11-15 08:25)

Re: [Release] Meta Tags Administration

XSS :

<meta name="keywords" content=""><script>alert(0)</script>" />
<meta name="robots" content=""><script>alert(0)</script>" />

Patch :

File : ./extensions/meta_tags_admin/manifest.xml

Line 63      | $forum_head['descriptions'] = '<meta name="description" content="'.$forum_config['o_meta_tags_admin_desc'].'" />';
Replace with | $forum_head['descriptions'] = '<meta name="description" content="'.forum_htmlencode($forum_config['o_meta_tags_admin_desc']).'" />';

Line 88      | $forum_head['descriptions'] = '<meta name="description" content="'.$first_post.'" />';
Replace with | $forum_head['descriptions'] = '<meta name="description" content="'.forum_htmlencode($first_post).'" />';

Line 95      | $forum_head['keywords'] = '<meta name="keywords" content="'.$forum_config['o_meta_tags_admin_keyw'].'" />';
Replace with | $forum_head['keywords'] = '<meta name="keywords" content="'.forum_htmlencode($forum_config['o_meta_tags_admin_keyw']).'" />';

Line 98      | $forum_head['robots'] = '<meta name="robots" content="'.$forum_config['o_meta_tags_admin_robo'].'" />';
Replace with | $forum_head['robots'] = '<meta name="robots" content="'.forum_htmlencode($forum_config['o_meta_tags_admin_robo']).'" />';

Re: [Release] Meta Tags Administration

Now, why would an ADMIN exploit this vulnerability? After all, this extension's configuration can only be edited by admins.

Also, there's a message saying:

Please, don't use any HTML, BBCode or harmful characters.

on the configuration page, so I'm not really worried about this.

Thanks anyways, I appreciate your concern.

9 (edited by PHPLizardo 2008-11-15 23:45)

Re: [Release] Meta Tags Administration

Garciat wrote:

Now, why would an ADMIN exploit this vulnerability? After all, this extension's configuration can only be edited by admins.

Also, there's a message saying:

Please, don't use any HTML, BBCode or harmful characters.

on the configuration page, so I'm not really worried about this.

Thanks anyways, I appreciate your concern.

I know that only admins can acces to you extension but it can be dangerous anyway. Example:

You have another admin on the forum, and he wants you password, by exploiting this vuln, he could install a javascript keylogger on you forum, and he may get your password
It isn't enough to put a message saying "Please don't..."

Hope you'll understand.

10

Re: [Release] Meta Tags Administration

I'm supposing most people don't go around making every person an admin.

Anyways, even if I did use htmlentities(), this "bad" admin could add any type of JS script using the "Add your own links to the main navigation menu" list. Ex:

0 = <script type="text/javascript">alert('haha');</script>

As you can see, both the dev team and I think that it's your responsibility that your admins behave well.

Re: [Release] Meta Tags Administration

You are absolutely right and I think that it's better if only super admins can edit fields where you can put html. Anyway, I fixed this problem on my forums, every fields are filtered, in the admin panel too.

Sorry for my poor english tongue

Re: [Release] Meta Tags Administration

Garciat wrote:

I'm supposing most people don't go around making every person an admin.

As you can see, both the dev team and I think that it's your responsibility that your admins behave well.

I must strongly disagree with this philosophy.  A person who is a friend today, could easily be an enemy tomorrow.  The conflict between administrators could be between a second and third person, neither of which are you.  It is very naive to interact with humans, or program software, based on an assumption of trust.

That said, consider another scenario.  A black-hat-hacker has used a man in the middle WiFi attack on your administrator's laptop at a coffee shop that has a WiFi-hotspot.  Your administrator's forum password is sent via clear-text HTTP, and is caught by the hacker.  Because of the forum post I am replying to, this vulnerability in your extention (or one like it in PunBB itself, if we bothered to look) is found in MetaSploit (google it!).

The hacker owns your administrator, and YOU... because you were too lazy to write a regex filter for <META NAME="KEYWORDS" CONTENT="your keywords,go here,separated by a comma,but not a space">

(\s*[a-zA-Z0-9]+\s*\,\s+)+

13

Re: [Release] Meta Tags Administration

Who the hell said I was too lazy to add a filter? I just didn't add it because I didn't think it was necessary.

If anyone wants to  patch its extension, they are free to do so.

I'm so sorry for trusting people...

Re: [Release] Meta Tags Administration

Garciat wrote:

Who the hell said I was too lazy to add a filter? I just didn't add it because I didn't think it was necessary.

I did.

whatrevolution wrote:

The hacker owns your administrator, and YOU... because you were too lazy to write a regex filter

Garciat wrote:

If anyone wants to  patch its extension, they are free to do so.

So we need to check all of your work for laziness.  Noted.

Garciat wrote:

I'm so sorry for trusting people...

Apology accepted, try to be more aware of your surroundings, please.

15

Re: [Release] Meta Tags Administration

Ok.

16

Re: [Release] Meta Tags Administration

It's great what Garciat is doing. This extension looks useful.

But I have to agree with some of the comments about security.

It is always advisable to never trust users - their input, their behaviour or their friendliness/loyalty/honesty etc, and to also never consider the online environment your code is going into to be either (a) benign or (2) stable and predictable. Any code should reflect these concerns, I think.

It's always better to address security issues at the design stage if possible, rather than later - eg after your huge and busy forum has been hacked. Then it gets messy. smile

17

Re: [Release] Meta Tags Administration

I guess that if whatrevolution had only acted friendlier, like you did, I would've fixed it right away.

Anyways, it's fixed. I applied PHPLizardo's patch.

Re: [Release] Meta Tags Administration

sirena wrote:

It's great what Garciat is doing. This extension looks useful.

[...]

It is always advisable tonevertrust users [...]

Sure, I agree and have thanked Garciat for his work before, but if he's going to be haughty and arrogantly deny all criticism, and deny faults in his logic, then I'm not going to be nice.  I'm going to reflect his arrogance back at him, and no one likes an arrogant know it all.

19

Re: [Release] Meta Tags Administration

In order to retain working relationships on forums like these, everyone needs to remember to be a little bit polite and diplomatic, I guess. That way everything just works better.

It's also worth remembering that in a forum environment, sometimes comments and posts can be misunderstood or appear to be more angry or hostile or arrogant than they actually were intended to be, or they would sound if they were spoken face-to-face.

Sometimes what may appear to be arrogance, for example,  may just be a misunderstanding, or a result of someone being very busy and not able to immediately give their full attention to an issue or a post.

I've often been accused of it myself when admining forums, because I sometimes give replies that are perceived as curt and dismissive to users, but I only do so not because I am a bitch but because I often have 1 million things to do and can't give the user more time. Etc. So be tolerant - everyone has flaws smile

Re: [Release] Meta Tags Administration

I agree with sirena's post.  This is why I began by disagreeing with the philosophy, rather than the people directly.  However, I see that my use of "you" and "YOU" in my example scenario probably did more than personalize it; it allowed Garciat to perceive direct offense.

I called the philosophy (and those harboring it) lazy, which is accurate.  You'll just have to grow up and thicken your emotional skin a little.  I pissed you off because you aren't mature enough to parse an accurate criticism, not because I wasn't polite enough.  The previous sentence will probably piss you off too, and that is ok because it is also an accurate statement, and your reaction proves it.

It's not personal, and the way I see it is that perhaps I can explain it well enough that even though I make you angry, you'll understand.  Time will tell.

21

Re: [Release] Meta Tags Administration

It's OK...

Re: [Release] Meta Tags Administration

Fair enough.  I'm sorry an argument hijacked your thread, Garciat.  I like the extension idea. smile

Re: [Release] Meta Tags Administration

Hey Garciat I've a problem.

I got Meta Description set and its all fine, but when I mark:
First Post Meta Description Tag
I got no content in desc tag. Is it bug, or am I doing something bad?

24

Re: [Release] Meta Tags Administration

That feature worked for me. If it doesn't work for you, don't enable it... sorry I don't have time to check/fix it.

25 (edited by Reactor 2008-12-21 22:43)

Re: [Release] Meta Tags Administration

I would really appreciate if you fix that.  It could be helpfull for indexing topics for Google wink
If you dont have time, OK. Dont hurry.