Make a Lasting Impression

Join the Mailing List

Who's Online

29 user(s) are online (15 user(s) are browsing Support Forums)

Members: 0
Guests: 29

more...
ImpressCMS proudly uses SourceForge
ImpressCMS on Ohloh.net





tinyeditor/dhtml editor and allowed html in 1.1beta
Not too shy to talk
Joined:
2008/8/14 7:45
From Scotland
Posts: 28
When I create a formatted news article not all of the formatting ends up getting through. Some of it is affected by the css of whatever theme I use but some of it gets stripped out.
For example, if I change the font colour (with either editor), the style attribute gets stripped out of the span tag. I'm assuming it's getting caught by the htmlpurifier script, but where can I change what's allowed?

I appreciate that I'm very new to impresscms, but my first impressions are that you're fighting it every step of the way. Is it too much to expect to have an editor 'just work', including the built-in one?

Would I be better going back to the stable release for the moment?

John

Posted on: 2008/8/21 19:48
Transfer the post to other applications Transfer


Re: tinyeditor/dhtml editor and allowed html in 1.1beta
Home away from home
Joined:
2007/12/4 9:00
From Netherlands
Posts: 2220
See if replacing the file ../class/icms.htmlpurifier.php by this one helps.

Posted on: 2008/8/21 19:54
_________________
McDonalds Store
Transfer the post to other applications Transfer


Re: tinyeditor/dhtml editor and allowed html in 1.1beta
Not too shy to talk
Joined:
2008/8/14 7:45
From Scotland
Posts: 28
Indeed it does. Thank you very much.

So that's my frustration meter reset for a little while longer

John

Posted on: 2008/8/21 20:30
Transfer the post to other applications Transfer


Re: tinyeditor/dhtml editor and allowed html in 1.1beta
Not too shy to talk
Joined:
2008/8/14 7:45
From Scotland
Posts: 28
Oops - spoke too soon.
Almost all ok.
<p align="center"> doesn't work - the align gets stripped out.
Worked out what to edit and sorted it though.

Posted on: 2008/8/21 20:35
Transfer the post to other applications Transfer


Re: tinyeditor/dhtml editor and allowed html in 1.1beta
Home away from home
Joined:
2007/12/4 9:00
From Netherlands
Posts: 2220
In that file find the following line (appr. #134):

$HTML_Allowed 
'a[href|title|target|rel], abbr[title], acronym[title], b, blockquote[cite], br, caption, cite, code, dd,
                    del, dfn, div[align|style], dl, dt, em, font[size|color], h1, h2, h3, h4, h5, h6, i, img[src|alt|title|class|align|style], ins, kbd, li, ol, p[style], pre, s, span[style], strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, var'
;


and replace it with this one:

$HTML_Allowed 
'a[href|title|target|rel], abbr[title], acronym[title], b, blockquote[cite], br, caption, cite, code, dd,
                    del, dfn, div[align|style], dl, dt, em, font[size|color], h1, h2, h3, h4, h5, h6, i, img[src|alt|title|class|align|style], ins, kbd, li, ol, p[align|style], pre, s, span[style], strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, var'
;

Posted on: 2008/8/21 21:06
_________________
McDonalds Store
Transfer the post to other applications Transfer


Re: tinyeditor/dhtml editor and allowed html in 1.1beta
Not too shy to talk
Joined:
2008/8/14 7:45
From Scotland
Posts: 28
Yep, that's what I did once I knew that was the file to look in.

Maybe a dumb question, but will this become an admin option so that when an update appears I don't accidentally lose this setting?

Thanks again for the help.

Posted on: 2008/8/21 21:31
Transfer the post to other applications Transfer


Re: tinyeditor/dhtml editor and allowed html in 1.1beta
Home away from home
Joined:
2007/12/4 9:00
From Derbyshire/UK
Posts: 2076
Quote:

Maybe a dumb question, but will this become an admin option so that when an update appears I don't accidentally lose this setting?

Thanks again for the help.


HTML Purifier is a new addition to ImpressCMS, as such we are still working to improve the whole system.

Currently I am working on a new admin section which will definitely contain admin options to fully customise the configuration of purifier, so that editing the class file like above will be unnecessary, although I am still trying to make it easy for people to change the settings until the admin interface is completed.

ps. <p align > is not a malicious tag or anything that could be manipulated to a malicious tag, so it's no problem for me to add the align attribute to p tag permanently in the SVN so that you don't need to do this each update.

if you can think of anymore tags & attributes that are necessary or at very least not have the potential of exploitation, then we can add them to SVN before the final version is released.

however I will not add iframe or frames or javascript to the allowed list, even style attributes can be exploited if you're not careful, so we still need to be aware of what's what.

Posted on: 2008/8/22 6:50
_________________
Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!
Transfer the post to other applications Transfer


Re: tinyeditor/dhtml editor and allowed html in 1.1beta
Home away from home
Joined:
2007/12/4 9:00
From Netherlands
Posts: 2220
I just did a small test with the purifier attributes concerning the creation of tables.
In TinyMCE I created a 3x3 table:

<table border="1" cellspacing="2" cellpadding="2" width="50%">
<
tbody>
<
tr>
<
td>r1c1</td>
<
td>r1c2</td>
<
td>r2c3</td>
</
tr>
<
tr>
<
td>r2c1</td>
<
td>r2c2</td>
<
td>r2c3</td>
</
tr>
<
tr>
<
td>r3c1</td>
<
td>r3c2</td>
<
td>r3c3</td>
</
tr>
</
tbody>
</
table>


First I found the border was missing so I added it as an attribute to table in the purifier class. It works for the outline of the table only. Adding the border attribute to tr and td didn't add the border to the cells.

Also the width doesn't seem to work.

It might be that width and border are somehow overruled by the css of impresstheme, have to check that.

Attributes added to table:

table
[align|border|cellpadding|cellspacing|class|id|style|summary|width],



.::EDIT::.
Quote:
It might be that width and border are somehow overruled by the css of impresstheme, have to check that.


Definitely a css issue (content.css and style.css).

I am actually wondering if table styles should be defined in the css nowadays when we start using WYSIWYG editors like TinyMCE more and more.
If the table-styles are predefined in css it makes the settings in the table-plugin of TinyMCE useless and users can never have the table layout as they create and see it in the editor.

Posted on: 2008/8/22 11:00
_________________
McDonalds Store
Transfer the post to other applications Transfer


Re: tinyeditor/dhtml editor and allowed html in 1.1beta
Home away from home
Joined:
2007/12/4 9:00
From Derbyshire/UK
Posts: 2076
id's need extra care. and really we need more work on that area, same with classes. especially when dealing with CSS too.

if someone posts inline css styles etc with their html, and they create some css with ID & class names that are the same as core CSS names, then the CSS will be overruled because it conflicts.

if we're to allow ID & class attributes then i will need to modify slightly to protect ID tags. allowing ID's & classes into html enabled forms aswell as CSS is a recipe for disaster if you aren't careful.

the thing is, if we start allowing people to define their own styles for each tables and so on, then we're gonna end up with more problems caused because it can throw the rest of the site out, if someone adds a table and defines it's width as 2000px then we can see straight away that this is going to cause a problem.

the idea of allowing people to use html in forms, is NOT to give them every possibility to use any html they want, we still have to control and restrict what people can do with html. therefore any html input is going to be limited. html enabled forums should be basic html only, no advanced feautres allowed, unless we're absolutely sure that the html posted can't be exploited.

and believe me when i tell you that style attributes can easily be manipulated into causing XSS & phishing etc.

so <div style="" > could be manipulated to bring XSS and phishing attacks if we're not careful.

same with allowing CSS. especially when our themes & templates use the overflow CSS style too, which can also be abused if not treated correctly.

it's not only the html to be concerned with, but CSS can also be exploited under the right conditions.

if people want to post full html styles and stuff, then really they need to realise that this is not going to be possible, not only because of aesthetics of the design of the site breaking, but security implications aswell.

we're already allowing more html elements and tags than any other website that allows html submissions from it's users, there is a reason that a limited set of elements & attributes are used.

any html posted that is not W3C Valid code, will be filtered and cleaned or removed. deprecated elements and attributes will certainly be removed or changed.

Posted on: 2008/8/22 13:17
_________________
Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!
Transfer the post to other applications Transfer






You can view topic.
You cannot start a new topic.
You cannot reply to posts.
You cannot edit your posts.
You cannot delete your posts.
You cannot add new polls.
You cannot vote in polls.
You cannot attach files to posts.
You cannot post without approval.

[Advanced Search]