Web Wiz Forums - Gravatar Support

Print Page | Close Window

Gravatar Support

Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=28195
Printed Date: 02 April 2026 at 4:42am
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com

Topic: Gravatar Support

Posted By: wistex
Subject: Gravatar Support
Date Posted: 03 January 2010 at 8:40am

I just thought of something interesting. What about supporting Gravatar as an option for users? It is widely used for blogs, and could easily be applied to forums as well. And for websites that don't allow users to upload their own avatars (or can't because of their host), this would be an excellent alternative to storing people's avatars on your server taking up space.

It would be fairly easy to add too. In the user's control panel, add an option for a user to use their Gravatar. And where ever the avatars are displayed, you simply display the image using a simple image tag.

Details: http://en.gravatar.com/" rel="nofollow - http://en.gravatar.com/

Implementation: http://en.gravatar.com/site/implement/url" rel="nofollow - http://en.gravatar.com/site/implement/url

Replies:

Posted By: wistex
Date Posted: 14 January 2010 at 10:05pm

Here is some code on how to implement it:

http://www.webdevbros.net/2007/12/29/using-gravatar-in-classic-asp/" rel="nofollow - http://www.webdevbros.net/2007/12/29/using-gravatar-in-classic-asp/

I have implemented it on the articles and recipes pages for recent comments (powered by the forum, by the way). Later I will implement it in the forums as well.

How I do it is:

If the user selected an avatar in the forum, use it
else see if there is a gravatar
and set a default image if there is not.

Works great. Big smile

After I upgrade and make some other changes, I will implement the same thing in the forum.

Example for Article:

http://www.caribbeanchoice.com/us/content.asp?article=1609" rel="nofollow - http://www.caribbeanchoice.com/us/content.asp?article=1609

Example for Recipe:

http://www.caribbeanchoice.com/recipes/recipe.asp?recipe=186" rel="nofollow - http://www.caribbeanchoice.com/recipes/recipe.asp?recipe=186

(Note that the comments are powered by the forum system. A forum thread is associated with the article or recipe. The most recent comments are shown on the article or recipe page, but the whole thread is viewable in the forum. When people post, they are actually posting in the forum.)

-------------
http://www.wistex.com" rel="nofollow - WisTex Solutions
http://www.caribbeanchoice.com/forums" rel="nofollow - CaribbeanChoice Forums

Posted By: wistex
Date Posted: 14 January 2010 at 11:30pm

Just noticed that you can use their XMLRPC to see if an avatar exists, so that you can chose not to show an avatar instead of substituting an default image.

http://en.gravatar.com/site/implement/xmlrpc" rel="nofollow - http://en.gravatar.com/site/implement/xmlrpc

-------------
http://www.wistex.com" rel="nofollow - WisTex Solutions
http://www.caribbeanchoice.com/forums" rel="nofollow - CaribbeanChoice Forums

Posted By: wistex
Date Posted: 18 January 2010 at 9:06am

I added Gravatar support for http://www.caribbeanchoice.com/forums/" rel="nofollow - our forum . It was actually easier than I thought it would be. I added an option on the registration page for selecting the gravatar as your avatar. I used a different tactic than I thought I would though. Originally I was going to implement like I did on the article comments, where it used your Gravatar if you have not selected a forum avatar. The downside of this tactic is that an avatar must always be displayed, even a blank one, which I preferred not to do in the forums. So instead, I made it so you can select a Gravatar as your avatar in your profile.

Our forums is a highly customized version of WWF, so the exact code we used may not work for you. So instead, I will give you hints on what to change. I will give sample code below, but it may or may not work in your version of WWF since I have not tested it on the latest standard install provided by WWF.

Color Key to Sample Code:

Black = Original Code in my Version of Forums (yours may differ).

Brick Red = Code I added

Green = Comments I added

Edit the registration.edit profile page (register.asp) so:

1. Include the md5.asp include file for generating the MD5 hash at the beginning of the page with the other includes.

<% 'For Gravatar E-mail Hash %>
<!-- #include virtual="/global-includes/md5.asp" -->

Note: At least in my case, it seems to choke if you put it anywhere but the top of the file. So I would recommend putting it immediately after the forum includes for the page.

2. Add an <option> for the gravatar in the list of options. I put mine immediately above the selection for No Avatar since I want to encourage people to use it. Alternatively you can put this code in the includes/select_avatar.asp file.

<select name="SelectAvatar" id="SelectAvatar" size="4" onChange="(avatar.src =
SelectAvatar.options[SelectAvatar.selectedIndex].value) && (txtAvatar.value='http://') && 
(oldAvatar.value='')">

<%
'*** BEGIN MOD - Gravatar ***
'create an instance of our MD5 class
set h = new MD5
'hash the email address we want the gravatar for
hash = h.hash(strEmail)
'provide an alternative image if no gravatar is available
noPicUrl = server.urlEncode("http://www.yourwebsite.com/forum/avatars/noavatar.jpg")
%>
<option value="http://www.gravatar.com/avatar.php?gravatar_id=<% = hash %>&s=64">Gravatar</option>
<%
'*** END MOD - Gravatar ***
%>

<option value="<% = strImagePath %>blank.gif"><% = strTxtNoneSelected %></option>
<!-- #include file="includes/select_avatar.asp" -->
</select>

Note: We do not actually use the NoPic code because WWF is not capable of storing such a long URL for the avatar. This means if they do not pick an avatar, it shows the Gravatar logo instead. But since they have the option of picking no avatar or another avatar, then that's not a big deal.

3. Exempt Gravatars from ending in JPG, GIF or PNG. WWF checks to make sure that user input is valid, not bogus and not malicious. This, however, will alter the Gravatar URL so that it is unusable, because it assumes it is bad since no extension is present.

[code]

'******************************************

'*** Check the avatar is OK ***

'******************************************

'Exempt gravatars from check

If Left(strAvatar,24) = "http://www.gravatar.com/" Then

'Gravatars exempt from having to end with jpg, gif, png, etc.

'strAvatar = checkImages(strAvatar)

'Call the filter for the image

strAvatar = formatInput(strAvatar)

else

'Remove malicious code form the avatar link or remove it all togtaher if not a web graphic

If strAvatar <> "" Then

'If there is no . in the link then there is no extenison and so can't be an image

If inStr(1, strAvatar, ".", 1) = 0 Then

strAvatar = ""

&nb

-------------
http://www.wistex.com" rel="nofollow - WisTex Solutions
http://www.caribbeanchoice.com/forums" rel="nofollow - CaribbeanChoice Forums

Posted By: WebWiz-Bruce
Date Posted: 18 January 2010 at 9:31am

This is very good.

However, by removing the check to make sure that an avatar is a JPG, GIF, or PNG does leave your forum wide open to XSS and XCSRF hacking which could be used to take control of admin accounts, tricking admins into performing tasks such as delete task then did not initialise, hack into a normal user account, infect visitors with viruses or Trojans, etc.

-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting

Posted By: wistex
Date Posted: 18 January 2010 at 9:33am

How would you suggest solving that? The Gravatar URL does not pass the current check.

-------------
http://www.wistex.com" rel="nofollow - WisTex Solutions
http://www.caribbeanchoice.com/forums" rel="nofollow - CaribbeanChoice Forums

Posted By: WebWiz-Bruce
Date Posted: 18 January 2010 at 9:48am

It would be quite tricky as there are lots of service like Gravatar that have come and gone over the years as well as requests for supporting them which has been looked into.

Maybe a better option as form elements, including drop downs, can be edited to change the selection, would be to have a sepurate form input that the person enters their Gravatar email address.

Then when the form is submitted check if a Gravtar email has been entered, if so perform the MD5 hash and create the link which is then entered into the database as the users avatar link.

As this would then be carried out server side and none of this apart from the email address is displayted cleint side it would limit what can be edited by the user.

It would need more work such as storing the Gravatar email address in the database, then when displaying the user profile to edit displaying the Gravatar email address to allow it to be changed.

You would also need to by pass the avatar code in the form submission code if a Gravatar email is entered and then run the code to build the Gravtar link and store both this and the Gravatar email in the database.

-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting

Posted By: wistex
Date Posted: 18 January 2010 at 9:58am

Since we are treating Gravatar.com as a trusted site, couldn't we just filter the Gravatar URL for characters that are not supposed to be there. For example, there will be no single or double quotes, no brackets, etc. Such things could be readily be checked for, and if present, we can remove the URL completely.

We could also do some parsing, and see if the URL is properly formed. For example we could form the URL as:

http://www.gravatar.com/avatar.php?s=64&gravatar_id=d07cfd61eb44a22ef76765c9616c31be

The gravatar MUST start with the bold text, or else it is rejected. After the bold text, there cannot be any & or ' or " or < or > or anything weird that would not be in an MD5 hash.

-------------
http://www.wistex.com" rel="nofollow - WisTex Solutions
http://www.caribbeanchoice.com/forums" rel="nofollow - CaribbeanChoice Forums

Posted By: wistex
Date Posted: 18 January 2010 at 10:07am

Another option, which could be done is have an option to select the Gravatar from the option list with a value of "avatars/gravatar.jpg." Then, anywhere the avatar is displayed, then do something like this (psuedo code):

If avatar = "gravatar.jpg" then

generate Gravatar Image URL from e-mail in profile

end if

Then there is no possibility of malicious code being stored in the database, since gravatar.jpg passes the filter, and there is no need for additional fields. All we are doing, in this case, is make a substitution.

(Be sure to read my post on the previous page as well.)

-------------
http://www.wistex.com" rel="nofollow - WisTex Solutions
http://www.caribbeanchoice.com/forums" rel="nofollow - CaribbeanChoice Forums

Posted By: WebWiz-Bruce
Date Posted: 18 January 2010 at 12:19pm

That second idea sounds really good as there would be nothing that would allow malicious code to go through as the email address is sanitised already from the user input.

-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting