A Tale of Valentica

A simple demonstration on how to create custom FCKeditor combo plugin.

Introduction:

FCKeditor is a widely used html based text editor. In an earlier post I have shown how to integrate FCKeditor in ASP.Net. You can easily create and install custom plugin for FCKeditor.

Here I have prepared a custom month combo plugin. User can select month from January to December and insert the selected month into the editor.

Complete Scenario

Description:

Step 1:

Create a folder named “monthcombo” in “\editor\plugins” folder. Create a javascript file named “fckplugin.js” in the folder “monthcombo”. Now open the “fckplugin.js” file by any editor.

Step 2:

Inititalize the month combo as follows.

// Initialize the Month Combo
var monthCombo = function (name)
{
  this.Name = name;
}

Step 3:

Create function for executing the command.

// Execute the Command
monthCombo.prototype.Execute = function(itemText, itemLabel) 
{
    if (itemText != "")
        FCK.InsertHtml("<span>" + itemText + "</span>");
}

Step 4:

Create function for managing the plugin behavior.

// Manage the plugin behavior
monthCombo.prototype.GetState = function()
{
    return FCK_TRISTATE_OFF; // FCK_TRISTATE_OFF or  FCK_TRISTATE_ON
}

Step 5:

Register the month combo command.

// Register the command.
FCKCommands.RegisterCommand( 'MonthCombo' ,  new  monthCombo('Month Combo') ) ;

Step 6:

Create the toolbar button and set its prototype as follows.

// Create the toolbar button.
var monthComboToolbar = function(tooltip,  style)
{
    this.CommandName   = 'MonthCombo';
    this.Label         = this.GetLabel();
    this.Tooltip       = tooltip?  tooltip : this.Label;
    this.Style         = style;  //FCK_TOOLBARITEM_ICONTEXT OR FCK_TOOLBARITEM_ONLYTEXT
}
 
// Set the toolbar prototype.
monthComboToolbar.prototype = new  FCKToolbarSpecialCombo;

Step 7:

Create function for the label of the toolbar that is to be appeared on the toolbar.

// Label to appear in the FCK toolbar
monthComboToolbar.prototype.GetLabel  = function()
{
    return "Month Combo";
}

Step 8:

Add items to the combo list.

//Add the items to the combo list
monthComboToolbar.prototype.CreateItems  =  function(A)
{
    var months = Array("January", "February", "March",  "April",
                       "May", "June", "July",  "August",
                       "September", "October", "November",  "December");
 
    for (var i = 0; i < months.length; i++)
    {
        this._Combo.AddItem(months[i],  months[i]);
    }
}

Step 9:

Register the combo with the FCKeditor.

//Register the combo with the FCKeditor
FCKToolbarItems.RegisterItem('MonthCombo' , new monthComboToolbar( 'Month Combo', FCK_TOOLBARITEM_ICONTEXT ) ) ; // FCK_TOOLBARITEM_ONLYICON or FCK_TOOLBARITEM_ONLYTEXT  or  FCK_TOOLBARITEM_ICONTEXT

Step 10:

Save the “fckplugin.js”. We are near the end. Now open the “fckconfig.js” file located in the root directory. Add the month combo plugin as follows:

//Add Month Combo Plugin
FCKConfig.Plugins.Add( 'monthcombo' );

Step 11:

Finally, add this combo [‘MonthCombo’] to FCKConfig.ToolbarSets["Default"] or FCKConfig.ToolbarSets["Basic"] settings as follows.

FCKConfig.ToolbarSets["Basic"] = [
	['Bold','Italic','-','OrderedList','UnorderedList','-','Link','Unlink','-','About', 'MonthCombo']
] ;

Reference:

Creating & Installing a Plugin in FCKeditor

Conclusion:

Download the plugin here. MonthCombo

I was in my village for Eid vacation and out of internet. After a one week leave, I came to the capital and have found my site had been hacked. I was surprised to see that. Below the picture of my hacked site.

MyHackedSite

First I thought, my htaccess file was made changed. But I noticed only the index file was changed. I have opened a supporting ticket to my hosting site and got the following reply, which I think may be helpful for others:

Here’s some information you can use to help to identify what may have happened and how to rectify it and possibly prevent it from happening again.

The two most common entry points for a compromised website are (1) vulnerable, typically out-of-date web scripts (blogs, forums, CMS, etc.) or (2) a compromised FTP/SSH user password.
1) All web scripts you have installed under your domain should always be kept up-to-date with the most recent version available from the vendors’ website, as these often contain security patches for known issues. Older versions of well-known and popular web software (including Wordpress, phpBB, PHPNuke, PostNuke, etc.) are known to have vulnerabilities that can allow injection and execution of arbitrary code. Also make sure not to store ‘archive’ versions of old software in an open web directory — if you intend to keep these they should be stored under your FTP user’s home directory, not under a domain directory. Finally, some plugins for popular software (such as Expose for Joomla) have been found to introduce similar vulnerabilities. It’s a good idea to search the internet for information about a plugin and ensure it doesn’t have any known issues before installing.

After updating your software, it is imperative that you go through all files under all directories for the user which has been compromised and ensure that any files which have been written to / modified have been removed. It is common for ‘hackers’ that exploit web scripts to upload nocuously-named scripts which they can use to further compromise the site more easily, even after the initial vulnerability is closed — including scripts to send spam mail or execute arbitrary shell commands under your account via a simple web page interface. A helpful tip for finding files of this nature is to look for files or directories that have timestamps that occurred since you last modified your site, or that occurred around the time that the ‘hack’ took place; still it is best to examine all files as even a single missed file can allow the site to be re-compromised.

2) A bit less frequently, FTPs password can be compromised and used to modify files. The most important part of securing your account in this case is to change your FTP user’s password via the (USERS > MANAGE USERS) -> “Edit” area of the control panel. Passwords should not contain dictionary words and should be a string of at least 8 mixed-case alpha characters, numbers, and symbols. The best option for selecting a new password is to use our “Pick a password for me” feature. Check that box near the bottom of the page then click on the “Save Changes” button. The system will generate a very strong random password for this account. It will be displayed on the next page. It is recommended to always use Secure FTP (SFTP) or SSH rather than regular FTP, which sends passwords over the internet in plaintext. You should not use any passwords that you’ve used with other services, and ideally you should never use the same password for email, control panel, and FTP/SSH. Finally, you should always ensure that you’ve got up-to-date virus/malware screening on your computer to ensure that it is not compromised itself.

I have updated my webscripts to latest version and thus found my site got back. Still now, I don’t know how my site had been hacked. Have you any idea?