Needs review
Project:
link node
Version:
7.x-1.x-dev
Component:
Code
Priority:
Normal
Category:
Feature request
Assigned:
Unassigned
Reporter:
Created:
4 Jun 2011 at 16:15 UTC
Updated:
22 Sep 2011 at 09:25 UTC
Jump to comment: Most recent file
Comments
Comment #1
TomChiverton commentedThanks for this.
Is it backwardly compatible ? So both syntaxes will work ? What exactly is the new syntax, and how does it differ from link_node's ability to already override things like 'title' ?
Also, you'll need to patch the documentation as well as the code.
Comment #2
jherencia commentedThe syntax remains the same so there is no need to update the documentation.
It is a different way to handle the input. With this fix you can set html attributes: class, style, etc using the current syntax.
Comment #3
TomChiverton commentedDo you have some examples of how this would work in practice ? What the new raw text would be ?
Comment #4
jherencia commented[node:1, title="new title", class="class1 class2", style="border-left:1px solid red;"]
Comment #5
jherencia commentedI've added the possibility to set html titles: like
Comment #6
pluess commentedThanks for the patch.
I had a look at the code which looks fine. Unfortunately I did not get it to work. I tried your example from #4, but the style property did not show up in the final markup. I debugged link_node_filter_link_node_process() which works as expected, but it seams that the attributes do get lost further down the road.
About the second patch: This opens a XXS vulnerability to untrusted users having the right to use the link_node filter. Since setting html=TRUE for the l function just passes on what the users enters. If this is not nice JavaScript code we will have a problem.
I'd say we don't integrate this. If we do we should protect this with a special access right which should only be given to trusted users as it's done for the PHP filter.
Comment #7
pluess commentedComment #8
TomChiverton commentedDo we need to worry about the XSS ? I mean, if the user can create content, they can already right the XSS...
Comment #9
jherencia commentedMaybe we can add some permission to do that.
Comment #10
pluess commentedI'd say yes. Think about drupal.org. We can create content, but everything we create is escaped.
It would be fine for me, if there's a permission which must be given to trusted users.
Comment #11
jherencia commentedI think that we can filter just allowing the reasonable options:
I haven't tested it but I think it may work.
Comment #12
TomChiverton commentedImg isn't safe (javascript: URLs spring to mind). Why don't we only allow HTML if the full-HTML input mode is being used ?
Comment #13
jherencia commentedfilter_xss checks that no javascript is inserted. Does it not?