Google maps embed code into custom field Error

[chunguens]

Hello nicecoder team.
I have a big problem. I have add a custom field (TEXT) called "google_maps". When user add a new listing they have to paste HTML to embed in website.
A google map code example is like :

Code:

<iframe width="425" height="350" frameborder="0" scrolling="no" marginheight="0" marginwidth="0" src="http://maps.google.de/maps?f=q&amp;source=s_q&amp;hl=gb&amp;geocode=&amp;q=603+W+Ashland+Ave+Louisville,+KY+40214+&amp;sll=49.416073,11.117115&amp;sspn=0.009004,0.022724&amp;g=Messezentrum,+Nurnberg,+Germany&amp;ie=UTF8&amp;hq=&amp;hnear=603+W+Ashland+Ave,+Louisville,+Jefferson,+Kentucky+40214,+United+States&amp;ll=38.194549,-85.766315&amp;spn=0.010878,0.022724&amp;z=14&amp;iwloc=A&amp;output=embed"></iframe>View Larger Map

I have add the iframe tag in the "Allowed HTML tags" and also have enabled HTML tags at indexu setup.

When i add a listing with embed code from google maps in custom field, it results in a blank page !

I have already changed the template. So it´s not a template issue.
My indexu version is 2.3 . But i have another site with version 1.3.2 that have the same problem with this google_maps custom field.

[dody]

Please send me an email to support@nicecoder.com, please include your website url and indexu admin password.

[chunguens]

Hy dody,

I have send yesterday the email with the username and password to access my indexu site.

Did u find the problem ?

[sitesme]

Hi,

I would like to have this solution as well.
I tried some different ways but still not working properly.

Thanks for sharing.

[sitesme]

Hi,

I would like to have this solution as well.
I tried some different ways but still not working properly.

Thanks for sharing.

[sitesme]

Hi,

Anyone found out how to get this working?
Thanks

[chunguens]

Hy Sitesme,

I will post the dody answerers to this question.

1st Email From Dody:

"I found the problem. The codes is detected as xss attack so indexu
force to exit.
For now I disable the xss detection. I will finding a better solution
to detect xss attact.

The add form is functioning normal now."

2st Email From Dody:

"Your case is special. Usually webmaster won't allow html code being
submitted. Hacker may submit html code with javascript. When you load
the data in admin panel, the javascript will be executed. From worst
scenario the javascript will read your cookie and steal other
information, then the javascript will send this information to the
hacker.

This is why XSS Filter is so important.

Indexu prevent XSS attack with 2 methods (while other script may only one)
1) It is in CleanXSSInput(), you can find it is called several times
in init.php, but not in admin panel.
2) Indexu also use htmlspecialchars() to replace < > " ' to html codes.

Ok, disable XSS look no good. Allowing HTML code to submitter is dangerous.
Perhaps I can provide you better solution.
Is there any reason why using iframe? To display google map, you have
enough information from the address and title.
If you don't mind, I will try to replicate the google map you have
without need to enter this google map field.
It is better to disable it from users, but you can keep it for admin only."

So my solution has been forced to run the google maps from the address fields.
If we could use the iframe google maps embed code it will always be more accuracy.

But you can´t have everything! You already have indexu!!

[sitesme]

So, as far as I can see... there's no quick fix for this am I right?
I'm not sure if I understood quite well the explanation abou XSS and the rest.

I'm not getting any reply from Nicecoder support for more than a week now. Frustating

Thank you anyway.

[chunguens]

Yes... no solution for now, for that problem!
Nicecoder support sometimes is gone away! We have to be patient!!
We can only help ourselves.

[ezykiwi]

What would happen if you removed the Iframe code, and put in purely the URL of the map?

so the user copy and pastes in the map address... and then you can wrap the iframe code around that but its not needed in the database (which is logical cause it would be just repeat code over and over)

just a thought

[dody]

Do google provide gmap generator that use iframe?
Why do you need iframe?