Jump to content
kongondo

Module: Jquery File Upload

Recommended Posts

50 minutes ago, huhabab said:

Thank you, the error was on my part, changed the options before rendering the module. (...)

Glad you sorted it out.

Share this post


Link to post
Share on other sites

Security Report: FYI

TL;DR: Our module does not use the vulnerable PHP files. We are OK; nothing to see here 🙂.

You might have come across reports that Blueimp jQuery File Upload on which the module JqueryFileUpload is based had some vulnerabilities that had gone undetected for 8 years! The vulnerabilities, that have since been fixed, had to do with the  server-side application examples that ship with Blueimp jQuery File Upload, specifically the two PHP files Upload.php and UploadHandler.php. Our ProcessWire JqueryFileUpload module is not in any way affected by the vulnerability. Here's why:

  1. We don't use Upload.php and UploadHandler.php nor any server-side samples that might ship with Blueimp jQuery File Upload. We use ProcessWire's WireUpload Class instead.
  2. We don't ship our module with these files.
  3. We use Blueimp jQuery File Upload purely for its client-side upload capabilities (only the JavaScript).
  4. Blueimp jQuery File Upload aside, we operate a very tight ship with our module. These include:
    1. Not everyone can upload files. That decision is left to the developer.
    2. All files are validated for both MIME types and file extensions.
    3. Only extensions specified by  admin are allowed to go through to validation.
    4. All uploads are stored in a temporary folder pending validation. The location of the temporary folder is configurable. One can set either a web-accessible folder (e.g. in cases where one wants to show thumbnails of uploaded images) or a hidden one.
    5. All actions sent from client-side are validated against settings stored server-side. For instance, uploading, listing and deleting files. So, changing a JSON setting sent to the module client-side has no effect server-side.
    6. We use CSRF.
    7. Etc...

Here are the relevant links to the above mentioned (but now fixed) exploits.

In conclusion, this is just for your information, in case you were wondering or came across it. We are not affected and we didn't have to patch anything. Having said that, as per our OP, we urge all developers who use this module to exercise best practices to secure their applications.

Edited by kongondo
typos
  • Like 5

Share this post


Link to post
Share on other sites

Thank you @kongondo for this information.

That  shows the exemplary security awareness of @ryan in all his work! One of the reasons that makes us glad using PW...

  • Like 1

Share this post


Link to post
Share on other sites
On 11/28/2018 at 10:57 AM, ottogal said:

That  shows the exemplary security awareness of...

... Kongondo too 😉 

  • Like 2

Share this post


Link to post
Share on other sites

Update: Jquery File Upload Version 0.0.7.

 

As of today and this version onward, ONLY ProcessWire 3.x is supported.

 

Changelog

  1. Added option to unzip uploaded ZIP archives (works only in PW backend {hence custom modules}).
  2. Refreshed upload widget look and style.
  3. Added support for so-called 'Upload Anywhere' (no documentation currently, sorry. Basically this means you can use a whole page a files' dropzone).

For those who care, this means Media Manager's release is imminent 🙂

 

Screenshots

 

jfu-ver-007-001.thumb.png.ed8a66e4923bda84bcabed17b9c9d8c8.png

 

jfu-ver-007-002.thumb.png.8df0b06b6c25d509669b1350919f7757.png

Thanks!

Edited by kongondo
note about PW 3 support only
  • Like 3

Share this post


Link to post
Share on other sites

Thanks for this great module!

I had a problem with my live server, it didn't allowed pdf to be uploaded, and the script fired the message "filetype not allowed". If anyone encounters this problem, the solution is to go on the server settings and tick the "fileinfo" extention in the PHP settings.

Share this post


Link to post
Share on other sites

Hello again,

Has anyone tried to add a file description to the file? I want to mantain the original filename with spaces, capital and special characters, if so I could add them to the file->description and display on the template the description instead of the filename. Is this something at all possible?

Share this post


Link to post
Share on other sites
On 4/19/2019 at 10:25 AM, palacios000 said:

Has anyone tried to add a file description to the file? I want to mantain the original filename with spaces, capital and special characters, if so I could add them to the file->description and display on the template the description instead of the filename. Is this something at all possible?

I don't quite understand. Do you mean you want to save the non-sanitised file name as a description rather than adding a description to the file later yourself?

Share this post


Link to post
Share on other sites

Hi! I'd like to keep the original file name. After upload the new sanitised name is not as human-friendly as the original file saved by client on his PC, this is why I was thinking to keep the original name somehow and save it on the file description. In my very modest opinion, this is somthing quite complicated to do, but maybe there is an easy solution.

 

Share this post


Link to post
Share on other sites
2 hours ago, palacios000 said:

Hi! I'd like to keep the original file name. After upload the new sanitised name is not as human-friendly as the original file saved by client on his PC, this is why I was thinking to keep the original name somehow and save it on the file description. In my very modest opinion, this is somthing quite complicated to do, but maybe there is an easy solution.

 

Maybe if you could explain your use case a bit more. What do you do with the uploaded file? If you are adding it to a ProcessWire Page, ProcessWire will not allow you to have your 'human-friendly' file name 😀. It will be sanitised. I am guessing that is why you wanted to save the original file name in the description?

Secondly, who is uploading the files? The general public? Registered users? Site editors? 

Share this post


Link to post
Share on other sites

Yes you guessed right: registered user uploads pdfs on a PW page, which is then rendered like a "folder" and all files are displayed as a list, where the user can browse them... I'm able to make the list neater with some "str_replace" but still it won't be the same as it should.

I thought of writing the original file names on a txt file in the same temporary folder where files are saved, or into the session, and with some logic then add the content of the text file on each file->description field, but at the moment it's too complicated for me! Or maybe this could be a feature for the next released version 😎. Thanks again for this great module anyway!

Share this post


Link to post
Share on other sites

Thank you sooo much for this!! Truly super helpful, I've been trying to implement that precise script for two days, since I didn't know you had already done it, and failed! 😢

thanks! 🙂

I do however have a few questions O:) 

I've been playing around with the config options but can't quite get the script to do what I want,
 I currently have:

$options = array(
	'showUploaded' => true,
	'uploadsDeletable' => true,
	'showUploaded' => true,
	'setMaxFiles' => 9999,
	'setOverwrite' => false,
);

But after the upload the script doens't show the files I uploaded, Nor do I see links to the files opening in a Gallery.
Also I've not managed to upload more than 50 files at once, the rest of the upload seems to just get dropped.

What settings would I have to use to:
- See the images already in the folder
- See the images after uploading with link to open them in a gallery?
- Actually upload 9999 files?

Thanks in advance! 🙂

  • Like 1

Share this post


Link to post
Share on other sites
Is it possible to receive notifications in the administrative version of the processwire when user upload a file?

Share this post


Link to post
Share on other sites
1 hour ago, ildarvasin said:

Is it possible to receive notifications in the administrative version of the processwire when user upload a file?

No, sorry. You'd have to code that yourself. 

What's your use case?

Welcome to the forums 😄 

  • Like 1

Share this post


Link to post
Share on other sites
4 hours ago, ildarvasin said:

where the file upload button is processed?

I don't understand the question, I am afraid. Please explain.

Share this post


Link to post
Share on other sites

I want to do 2 things:
- clear the list of selected files when closing the module window;
- add closing the window, after downloading all the files at once.

But your code is quite difficult to understand at my level and I don’t understand where exactly the button press of the forms is processed.

p.s. I apologize if I do not make myself clear, because I am Russian-speaking.

Share this post


Link to post
Share on other sites
22 hours ago, ildarvasin said:

I want to do 2 things:
- clear the list of selected files when closing the module window;
- add closing the window, after downloading all the files at once.

This module has no window and does not open any modal. It's still not clear to me how you are using it. I am thinking maybe you are trying to use the module in your own module? Or in the ProcessWire admin? If I could get a bit more information about this and/or a diagram/drawing (or even an animated GIF), that would help.

  • Thanks 1

Share this post


Link to post
Share on other sites

indeed, you are correct that your module was crammed into a separate block. The previous questions have disappeared.

Can I define my own file formats? You need to download 'doc, docx'. The rest so as not to even offer to saving.
as with mp3, txt

Spoiler

image.thumb.png.0e6c44106d06f361b144c3d98715ca7b.png


the following options, as I understand it, need to be set.
 

Spoiler

'acceptFileTypes' => 'doc docx',
allowedImageMimeTypes' => array(application/doc),
'commonImageExts' => array('doc', 'docx'),

the following options, as I understand it, need to be set. But the save button still appears in such formats as: .xls, .jpg, .png, .zip, .iso, pdf.
if you save the files, then all the allowed formats appear in the folder, but I would like to get rid of the button for unauthorized formats

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By David Karich
      ProcessWire InputfieldRepeaterMatrixDuplicate
      Thanks to the great ProModule "RepeaterMatrix" I have the possibility to create complex repeater items. With it I have created a quite powerful page builder. Many different content modules, with many more possible design options. The RepeaterMatrix module supports the cloning of items, but only within the same page. Now I often have the case that very design-intensive pages and items are created. If you want to use a content module on a different page (e.g. in the same design), you have to rebuild each item manually every time.
      This module extends the commercial ProModule "RepeaterMatrix" by the function to duplicate repeater items from one page to another page. The condition is that the target field is the same matrix field from which the item is duplicated. This module is currently understood as proof of concept. There are a few limitations that need to be considered. The intention of the module is that this functionality is integrated into the core of RepeaterMatrix and does not require an extra module.
      Check out the screencast
      What the module can do
      Duplicate multible repeater items from one page to another No matter how complex the item is Full support for file and image fields Multilingual support Support of Min and Max settings Live synchronization of clipboard between multiple browser tabs. Copy an item and simply switch the browser tab to the target page and you will immediately see the past button Support of multiple RepeaterMatrix fields on one page Configurable which roles and fields are excluded Configurable dialogs for copy and paste Duplicated items are automatically pasted to the end of the target field and set to hidden status so that changes are not directly published Automatic clipboard update when other items are picked Automatically removes old clipboard data if it is not pasted within 6 hours Delete clipboard itself by clicking the selected item again Benefit: unbelievably fast workflow and content replication What the module can't do
      Before an item can be duplicated in its current version, the source page must be saved. This means that if you make changes to an item and copy this, the old saved state will be duplicated Dynamic loading is currently not possible. Means no AJAX. When pasting, the target page is saved completely No support for nested repeater items. Currently only first level items can be duplicated. Means a repeater field in a repeater field cannot be duplicated. Workaround: simply duplicate the parent item Dynamic reloading and adding of repeater items cannot be registered. Several interfaces and events from the core are missing. The initialization occurs only once after the page load event Changelog
      2.0.0
      Feature: Copy multiple items at once! The fundament for copying multiple items was created by @Autofahrn - THX! Feature: Optionally you can disable the copy and/or paste dialog Bug fix: A fix suggestion when additional and normal repeater fields are present was contributed by @joshua - THX! 1.0.4
      Bug fix: Various bug fixes and improvements in live synchronization Bug fix: Items are no longer inserted when the normal save button is clicked. Only when the past button is explicitly clicked Feature: Support of multiple repeater fields in one page Feature: Support of repeater Min/Max settings Feature: Configurable roles and fields Enhancement: Improved clipboard management Enhancement: Documentation improvement Enhancement: Corrected few typos #1 1.0.3
      Feature: Live synchronization Enhancement: Load the module only in the backend Enhancement: Documentation improvement 1.0.2
      Bug fix: Various bug fixes and improvements in JS functions Enhancement: Documentation improvement Enhancement: Corrected few typos 1.0.1
      Bug fix: Various bug fixes and improvements in the duplication process 1.0.0
      Initial release Support this module
      If this module is useful for you, I am very thankful for your small donation: Donate 5,- Euro (via PayPal – or an amount of your choice. Thank you!)
      Download this module (Version 2.0.0)
      > Github: https://github.com/FlipZoomMedia/InputfieldRepeaterMatrixDuplicate
      > PW module directory: https://modules.processwire.com/modules/inputfield-repeater-matrix-duplicate/
      > Old stable version (1.0.4): https://github.com/FlipZoomMedia/InputfieldRepeaterMatrixDuplicate/releases/tag/1.0.4
    • By Robin S
      A new module that hasn't had a lot of testing yet. Please do your own testing before deploying on any production website.
      Custom Paths
      Allows any page to have a custom path/URL.
      Note: Custom Paths is incompatible with the core LanguageSupportPageNames module. I have no experience working with LanguageSupportPageNames or multi-language sites in general so I'm not in a position to work out if a fix is possible. If anyone with multi-language experience can contribute a fix it would be much appreciated!
      Screenshot

      Usage
      The module creates a field named custom_path on install. Add the custom_path field to the template of any page you want to set a custom path for. Whatever path is entered into this field determines the path and URL of the page ($page->path and $page->url). Page numbers and URL segments are supported if these are enabled for the template, and previous custom paths are managed by PagePathHistory if that module is installed.
      The custom_path field appears on the Settings tab in Page Edit by default but there is an option in the module configuration to disable this if you want to position the field among the other template fields.
      If the custom_path field is populated for a page it should be a path that is relative to the site root and that starts with a forward slash. The module prevents the same custom path being set for more than one page.
      The custom_path value takes precedence over any ProcessWire path. You can even override the Home page by setting a custom path of "/" for a page.
      It is highly recommended to set access controls on the custom_path field so that only privileged roles can edit it: superuser-only is recommended.
      It is up to the user to set and maintain suitable custom paths for any pages where the module is in use. Make sure your custom paths are compatible with ProcessWire's $config and .htaccess settings, and if you are basing the custom path on the names of parent pages you will probably want to have a strategy for updating custom paths if parent pages are renamed or moved.
      Example hooks to Pages::saveReady
      You might want to use a Pages::saveReady hook to automatically set the custom path for some pages. Below are a couple of examples.
      1. In this example the start of the custom path is fixed but the end of the path will update dynamically according to the name of the page:
      $pages->addHookAfter('saveReady', function(HookEvent $event) { $page = $event->arguments(0); if($page->template == 'my_template') { $page->custom_path = "/some-custom/path-segments/$page->name/"; } }); 2. The Custom Paths module adds a new Page::realPath method/property that can be used to get the "real" ProcessWire path to a page that might have a custom path set. In this example the custom path for news items is derived from the real ProcessWire path but a parent named "news-items" is removed:
      $pages->addHookAfter('saveReady', function(HookEvent $event) { $page = $event->arguments(0); if($page->template == 'news_item') { $page->custom_path = str_replace('/news-items/', '/', $page->realPath); } }); Caveats
      The custom paths will be used automatically for links created in CKEditor fields, but if you have the "link abstraction" option enabled for CKEditor fields (Details > Markup/HTML (Content Type) > HTML Options) then you will see notices from MarkupQA warning you that it is unable to resolve the links.
      Installation
      Install the Custom Paths module.
      Uninstallation
      The custom_path field is not automatically deleted when the module is uninstalled. You can delete it manually if the field is no longer needed.
       
      https://github.com/Toutouwai/CustomPaths
      https://modules.processwire.com/modules/custom-paths/
    • By teppo
      Hey folks!
      I'm happy to finally introduce a project I've been working on for quite a while now: it's called Wireframe, and it is an output framework for ProcessWire.
      Note that I'm posting this in the module development area, maily because this project is still in rather early stage. I've built a couple of sites with it myself, and parts of the codebase have been powering some pretty big and complex sites for many years now, but this should still be considered a soft launch 🙂
      --
      Long story short, Wireframe is a module that provides the "backbone" for building sites (and apps) with ProcessWire using an MVC (or perhaps MVVM... one of those three or four letter acronyms anyway) inspired methodology. You could say that it's an output strategy, but I prefer the term "output framework", since in my mind the word "strategy" means something less tangible. A way of doing things, rather than a tool that actually does things.
      Wireframe (the module) provides a basic implementation for some familiar MVC concepts, such as Controllers and a View layer – the latter of which consists of layouts, partials, and template-specific views. There's no "model" layer, since in this context ProcessWire is the model. As a module Wireframe is actually quite simple – not even nearly the biggest one I've built – but there's still quite a bit of stuff to "get", so I've put together a demo & documentation site for it at https://wireframe-framework.com/.
      In addition to the core module, I'm also working on a couple of site profiles based on it. My current idea is actually to keep the module very light-weight, and implement most of the "opinionated" stuff in site profiles and/or companion modules. For an example MarkupMenu (which I released a while ago) was developed as one of those "companion modules" when I needed a menu module to use on the site profiles.
      Currently there are two public site profiles based on Wireframe:
      site-wireframe-docs is the demo&docs site mentioned above, just with placeholder content replaced with placeholder content. It's not a particularly complex site, but I believe it's still a pretty nice way to dig into the Wireframe module. site-wireframe-boilerplate is a boilerplate (or starter) site profile based on the docs site. This is still very much a work in progress, but essentially I'm trying to build a flexible yet full-featured starter profile you can just grab and start building upon. There will be a proper build process for resources, it will include most of the basic features one tends to need from site to site, etc. --
      Requirements and getting started:
      Wireframe can be installed just like any ProcessWire module. Just clone or download it to your site/modules/ directory and install. It doesn't, though, do a whole lot of stuff on itself – please check out the documentation site for a step-by-step guide on setting up the directory structure, adding the "bootstrap file", etc. You may find it easier to install one of the site profiles mentioned above, but note that this process involves the use of Composer. In the case of the site profiles you can install ProcessWire as usual and download or clone the site profile directory into your setup, but after that you should run "composer install" to get all the dependencies – including the Wireframe module – in place. Hard requirements for Wireframe are ProcessWire 3.0.112 and PHP 7.1+. The codebase is authored with current PHP versions in mind, and while running it on 7.0 may be possible, anything below that definitely won't work. A feature I added just today to the Wireframe module is that in case ProcessWire has write access to your site/templates/ directory, you can use the module settings screen to create the expected directories automatically. Currently that's all, and the module won't – for an example – create Controllers or layouts for you, so you should check out the site profiles for examples on these. (I'm probably going to include some additional helper features in the near future.)
      --
      This project is loosely based on an earlier project called pw-mvc, i.e. the main concepts (such as Controllers and the View layer) are very similar. That being said, Wireframe is a major upgrade in terms of both functionality and architecture: namespaces and autoloader support are now baked in, the codebase requires PHP 7, Controllers are classes extending \Wireframe\Controller (instead of regular "flat" PHP files), implementation based on a module instead of a collection of drop-in files, etc.
      While Wireframe is indeed still in a relatively early stage (0.3.0 was launched today, in case version numbers matter) for the most part I'm happy with the way it works, and likely won't change it too drastically anytime soon – so feel free to give it a try, and if you do, please let me know how it went. I will continue building upon this project, and I am also constantly working on various side projects, such as the site profiles and a few unannounced helper modules.
      I should probably add that while Wireframe is not hard to use, it is more geared towards those interested in "software development" type methodology. With future updates to the module, the site profiles, and the docs I hope to lower the learning curve, but certain level of "developer focus" will remain. Although of course the optimal outcome would be if I could use this project to lure more folks towards that end of the spectrum... 🙂
      --
      Please let me know what you think – and thanks in advance!
    • By tcnet
      PageViewStatistic for ProcessWire is a module to log page visits of the CMS. The records including some basic information like IP-address, browser, operating system, requested page and originate page. Please note that this module doesn't claim to be the best or most accurate.
      Advantages
      One of the biggest advantage is that this module doesn't require any external service like Google Analytics or similar. You don't have to modify your templates either. There is also no JavaScript or image required.
      Disadvantages
      There is only one disadvantage. This module doesn't record visits if the browser loads the page from its browser cache. To prevent the browser from loading the page from its cache, add the following meta tags to the header of your page:
      <meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" /> <meta http-equiv="Pragma" content="no-cache" /> <meta http-equiv="Expires" content="0" /> How to use
      The records can be accessed via the Setup-menu of the CMS backend. The first dropdown control changes the view mode. There are 4 different view modes.
      View mode "Day" shows all visits of the selected day individually with IP-address, browser, operating system, requested page and originate page. Click the update button to see new added records. View mode "Month" shows the total of all visitors per day from the first to the last day of the selected month. View mode "Year" shows the total of all visitors per month from the first to the last month of the selected year. View mode "Total" shows the total of all visitors per year for all recorded years. Please note that multiple visits from the same IP address within the selected period are counted as a single visitor.
      Settings
      You can access the module settings by clicking the Configuration button at the bottom of the records page. The settings page is also available in the menu: Modules->Configure->ProcessPageViewStat.
      IP2Location
      This module uses the IP2Location database from: http://www.ip2location.com. This database is required to obtain the country from the IP address. IP2Location updates this database at the begin of every month. The settings of ProcessPageViewStat offers the ability to automatically download the database monthly. Please note, that automatically download will not work if your webspace doesn't allow allow_url_fopen.
      Dragscroll
      This module uses DragScroll. A JavaScript available from: http://github.com/asvd/dragscroll. Dragscroll adds the ability in view mode "Day" to drag the records horizontally with the mouse pointer.
      parseUserAgentStringClass
      This module uses the PHP class parseUserAgentStringClass available from: http://www.toms-world.org/blog/parseuseragentstring/. This class is required to filter out the browser type and operating system from the server request.
      Special Feature
      PageViewStatistic for ProcessWire can record the time a visitor viewed the page. This feature is deactivated by default. To activate open the module configuration page and activate "Record view time". If activated you will find a new column "S." in the records which means the time of view in seconds. With every page request, a Javascript code is inserted directly after the <body> tag. Every time the visitor switches to another tab or closes the tab, this script reports the number of seconds the tab was visible. The initial page request is recorded only as a hyphen (-).
       
    • By MoritzLost
      This module allows you to integrate hCaptcha bot / spam protection into ProcessWire forms. hCaptcha is a great alternative to Google ReCaptcha, especially if you are in the EU and need to comply with privacy regulations.

      The development of this module is sponsored by schwarzdesign.
      The module is built as an Inputfield, allowing you to integrate it into any ProcessWire form you want. It's primarily intended for frontend forms and can be added to Form Builder forms for automatic spam protection. There's a step-by-step guide for adding the hCaptcha widget to Form Builder forms in the README, as well as instructions for API usage.
      Features
      Inputfield that displays an hCaptcha widget in ProcessWire forms. The inputfield verifies the hCaptcha response upon submission, and adds a field error if it is invalid. All hCaptcha configuration options for the widget (theme, display size etc) can be changed through the inputfield configuration, as well as programmatically. hCaptcha script options can be changed through a hook. Error messages can be translated through ProcessWire's site translations. hCaptcha secret keys and site-keys can be set for each individual inputfield or globally in your config.php. Error codes and failures are logged to help you find configuration errors. Please check the README for setup instructions.
      Links
      Github Repository and documentation InputfieldHCaptcha in the module directory Screenshots (configuration)

      Screenshots (hCaptcha widget)

       
       

       
×
×
  • Create New...