Invision Community 4: SEO, prepare for v5 and dormant account notifications Matt November 11, 2024Nov 11
Posted October 9, 2024Oct 9 I am adding a file into our system and want to include a URL in the description. If I just enter a URL in the parameter, it does not show a hyperlink for the URL, it just appears as plain text. Is there a way to encode these in the description text? Edited October 9, 2024Oct 9 by Interferon
October 9, 2024Oct 9 Author Apparently you can just submit HTML to this and it will work. So you would never want to submit this directly from a desktop application without running it through your own PHP script to filter the fields. Edited October 9, 2024Oct 9 by Interferon
October 10, 2024Oct 10 9 hours ago, Interferon said: o you would never want to submit this directly from a desktop application without running it through your own PHP script to filter the fields. Why wouldn't you filter the fields in your desktop application, rather than running through a PHP script? Just taking a look at the description of that item within the rest API, it does state what you can send there Quote The description as HTML (e.g. "<p>This is an file.</p>"). Will be sanatized for requests using an OAuth Access Token for a particular member; will be saved unaltered for requests made using an API Key or the Client Credentials Grant Type.
October 10, 2024Oct 10 Author 10 hours ago, Marc said: Why wouldn't you filter the fields in your desktop application, rather than running through a PHP script? Just taking a look at the description of that item within the rest API, it does state what you can send there It's a security vulnerability. If they have access, the end user could create a program that makes calls to the API to insert HTML into pages.
October 10, 2024Oct 10 Solution Are you using OAuth Tokens or just a REST API key? If you are using OAuth, then yes you still need to submit HTML with the request, however it will be parsed and sanitized according to the users permissions to remove anything malicious (excluding those with HTML posting permission - which should be no one other than groups like Administrators). This is ideal for applications that end users submit to directly, like a Desktop app in your case. OAuth also limits requests based on a users permission, so even if they can submit files to the API, they can still only submit to categories they have permission to post to. If you're just using a REST API key, then it's assumed that the request is coming from a trusted source. This is for things only an administrator has complete control over (typically automated tasks).
