You are not logged in. Please login or register.
PunBB Forums → PunBB 1.3 extensions → [Release] Meta Tags Administration
I have noticed some forum members are into SEO, so I decided to make this pretty simple extension that allows you to edit some meta tags relevant to SEO.
You can modify the meta tags on Administration » Settings » Setup
Download Link: http://punbb.informer.com/unofficial/pu … _admin.zip
If you find any bugs or have any tips, please post them here.
Updates
1.1 (current): Applied some fixes. Thanks to parpalak.
1.0: First release
Hi Garciat i will try it and post my impression!
Thanks
Suomeksi käännetty versio Ei testattu
Sorry, only in Finnish, not needed in English 
Vain suomeksi, englantia ei tarvitse tässä
--------------------------------------------------------
Miten voit asentaa kielipaketin:
1. Avaa "lang" lisäosasi kansiosta.
2. Luo uusi kansio "Finnish" (ilman lainausmerkkejä).
3. Avaa Muistio ja kirjoita sisällöksi seuraava:
<?php
// Meta tags administration Metatagien ylläpito
// Finnish langpack Suomenkielinen kielitiedosto
// By: Olli Tekijä: Olli
// Email: ollinpostit@gmail.com Sähköposti: ollinpostit@gmail.com
if (!defined('FORUM')) die();
$lang_meta_admin = array(
'Setup' => 'Mukauta metatageja',
'Setup description legend' => 'Muokkaa metakuvaus -tagia',
'Setup keywords legend' => 'Muokkaa meta -hakusanat -tagia',
'Setup robots legend' => 'Muokkaa meta -robotit -tagia',
'Warn' => 'Älä käytä mitään HTML, BBCode tai muita tarpeettomia merkkejä (lainausmerkkejä jne.). Vieraile <a href="http://searchenginewatch.com/2167931">täällä</a> saadaksesi apua näihin metatageihin.',
'Description' => 'Metakuvaus -tagi',
'Description help' => 'Jos tämä on tyhjä, oletus-metakuvaus-tagia käytetään.',
'Description hide' => 'Piilota metakuvaus -tagi',
'Description hide help' => 'Jos rastitettu, metakuvaustagia ei näytetä.',
'Description vt' => 'Ensimmäisen viestin metakuvaus -tagi',
'Description vt help' => 'Jos rastitettu, jokaisen aiheen metakuvaustagina käytetään ensimmäisiä 160 merkkiä ensimmäisestä viestistä.',
'Keywords' => 'Meta -hakusanat -tagi',
'Keywords help' => 'Erottele jokainen hakusana pilkulla (ei välilyöntiä).',
'Robots' => 'Meta -robotit -tagi',
'Robots help' => 'Erottele jokainen muuttuja pilkulla ja välilyönnillä.',
)
?>4. Valitse "Tiedosto" -valikosta "Tallenna nimellä...".
5. Etsi äsken luomasi Finnish-kansio.
6. Kirjoita tiedostonimeksi "meta_admin.php" (ilman lainausmerkkejä).
7. Valitse tallennusmuodoksi "Kaikki tiedostot".
8. Paina "Tallenna".
9. Nyt sinulla on suomenkielinen kielitiedosto.
Thanks for the translation
Thank you Garciat.
I'll test it
If you want more functions or have any tips, let me know.
XSS :
<meta name="keywords" content=""><script>alert(0)</script>" />
<meta name="robots" content=""><script>alert(0)</script>" />Patch :
File : ./extensions/meta_tags_admin/manifest.xml
Line 63 | $forum_head['descriptions'] = '<meta name="description" content="'.$forum_config['o_meta_tags_admin_desc'].'" />';
Replace with | $forum_head['descriptions'] = '<meta name="description" content="'.forum_htmlencode($forum_config['o_meta_tags_admin_desc']).'" />';
Line 88 | $forum_head['descriptions'] = '<meta name="description" content="'.$first_post.'" />';
Replace with | $forum_head['descriptions'] = '<meta name="description" content="'.forum_htmlencode($first_post).'" />';
Line 95 | $forum_head['keywords'] = '<meta name="keywords" content="'.$forum_config['o_meta_tags_admin_keyw'].'" />';
Replace with | $forum_head['keywords'] = '<meta name="keywords" content="'.forum_htmlencode($forum_config['o_meta_tags_admin_keyw']).'" />';
Line 98 | $forum_head['robots'] = '<meta name="robots" content="'.$forum_config['o_meta_tags_admin_robo'].'" />';
Replace with | $forum_head['robots'] = '<meta name="robots" content="'.forum_htmlencode($forum_config['o_meta_tags_admin_robo']).'" />';Now, why would an ADMIN exploit this vulnerability? After all, this extension's configuration can only be edited by admins.
Also, there's a message saying:
Please, don't use any HTML, BBCode or harmful characters.
on the configuration page, so I'm not really worried about this.
Thanks anyways, I appreciate your concern.
Now, why would an ADMIN exploit this vulnerability? After all, this extension's configuration can only be edited by admins.
Also, there's a message saying:
Please, don't use any HTML, BBCode or harmful characters.
on the configuration page, so I'm not really worried about this.
Thanks anyways, I appreciate your concern.
I know that only admins can acces to you extension but it can be dangerous anyway. Example:
You have another admin on the forum, and he wants you password, by exploiting this vuln, he could install a javascript keylogger on you forum, and he may get your password
It isn't enough to put a message saying "Please don't..."
Hope you'll understand.
I'm supposing most people don't go around making every person an admin.
Anyways, even if I did use htmlentities(), this "bad" admin could add any type of JS script using the "Add your own links to the main navigation menu" list. Ex:
0 = <script type="text/javascript">alert('haha');</script>As you can see, both the dev team and I think that it's your responsibility that your admins behave well.
You are absolutely right and I think that it's better if only super admins can edit fields where you can put html. Anyway, I fixed this problem on my forums, every fields are filtered, in the admin panel too.
Sorry for my poor english 
I'm supposing most people don't go around making every person an admin.
As you can see, both the dev team and I think that it's your responsibility that your admins behave well.
I must strongly disagree with this philosophy. A person who is a friend today, could easily be an enemy tomorrow. The conflict between administrators could be between a second and third person, neither of which are you. It is very naive to interact with humans, or program software, based on an assumption of trust.
That said, consider another scenario. A black-hat-hacker has used a man in the middle WiFi attack on your administrator's laptop at a coffee shop that has a WiFi-hotspot. Your administrator's forum password is sent via clear-text HTTP, and is caught by the hacker. Because of the forum post I am replying to, this vulnerability in your extention (or one like it in PunBB itself, if we bothered to look) is found in MetaSploit (google it!).
The hacker owns your administrator, and YOU... because you were too lazy to write a regex filter for <META NAME="KEYWORDS" CONTENT="your keywords,go here,separated by a comma,but not a space">
(\s*[a-zA-Z0-9]+\s*\,\s+)+
Who the hell said I was too lazy to add a filter? I just didn't add it because I didn't think it was necessary.
If anyone wants to patch its extension, they are free to do so.
I'm so sorry for trusting people...
Who the hell said I was too lazy to add a filter? I just didn't add it because I didn't think it was necessary.
I did.
The hacker owns your administrator, and YOU... because you were too lazy to write a regex filter
If anyone wants to patch its extension, they are free to do so.
So we need to check all of your work for laziness. Noted.
I'm so sorry for trusting people...
Apology accepted, try to be more aware of your surroundings, please.
Ok.
It's great what Garciat is doing. This extension looks useful.
But I have to agree with some of the comments about security.
It is always advisable to never trust users - their input, their behaviour or their friendliness/loyalty/honesty etc, and to also never consider the online environment your code is going into to be either (a) benign or (2) stable and predictable. Any code should reflect these concerns, I think.
It's always better to address security issues at the design stage if possible, rather than later - eg after your huge and busy forum has been hacked. Then it gets messy.
I guess that if whatrevolution had only acted friendlier, like you did, I would've fixed it right away.
Anyways, it's fixed. I applied PHPLizardo's patch.
It's great what Garciat is doing. This extension looks useful.
[...]
It is always advisable tonevertrust users [...]
Sure, I agree and have thanked Garciat for his work before, but if he's going to be haughty and arrogantly deny all criticism, and deny faults in his logic, then I'm not going to be nice. I'm going to reflect his arrogance back at him, and no one likes an arrogant know it all.
In order to retain working relationships on forums like these, everyone needs to remember to be a little bit polite and diplomatic, I guess. That way everything just works better.
It's also worth remembering that in a forum environment, sometimes comments and posts can be misunderstood or appear to be more angry or hostile or arrogant than they actually were intended to be, or they would sound if they were spoken face-to-face.
Sometimes what may appear to be arrogance, for example, may just be a misunderstanding, or a result of someone being very busy and not able to immediately give their full attention to an issue or a post.
I've often been accused of it myself when admining forums, because I sometimes give replies that are perceived as curt and dismissive to users, but I only do so not because I am a bitch but because I often have 1 million things to do and can't give the user more time. Etc. So be tolerant - everyone has flaws
I agree with sirena's post. This is why I began by disagreeing with the philosophy, rather than the people directly. However, I see that my use of "you" and "YOU" in my example scenario probably did more than personalize it; it allowed Garciat to perceive direct offense.
I called the philosophy (and those harboring it) lazy, which is accurate. You'll just have to grow up and thicken your emotional skin a little. I pissed you off because you aren't mature enough to parse an accurate criticism, not because I wasn't polite enough. The previous sentence will probably piss you off too, and that is ok because it is also an accurate statement, and your reaction proves it.
It's not personal, and the way I see it is that perhaps I can explain it well enough that even though I make you angry, you'll understand. Time will tell.
It's OK...
Fair enough. I'm sorry an argument hijacked your thread, Garciat. I like the extension idea.
Hey Garciat I've a problem.
I got Meta Description set and its all fine, but when I mark:
First Post Meta Description Tag
I got no content in desc tag. Is it bug, or am I doing something bad?
That feature worked for me. If it doesn't work for you, don't enable it... sorry I don't have time to check/fix it.
I would really appreciate if you fix that. It could be helpfull for indexing topics for Google 
If you dont have time, OK. Dont hurry.
PunBB Forums → PunBB 1.3 extensions → [Release] Meta Tags Administration
Powered by PunBB, supported by Informer Technologies, Inc.