Posted by heather on July 21, 2008 at 11:46pm
| Project: | Content Construction Kit (CCK) |
| Version: | 6.x-3.x-dev |
| Component: | content.module |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed (fixed) |
Issue Summary
When in "Manage fields" section of a custom content type, I need to be able to put images in the "help text" to help the users. (it worked in an earlier version of CCK). Where it lists...
Instructions to present to the user below this field on the editing form.
Allowed HTML tags: <a> <b> <big> <code> <del> <em> <i> <ins> <pre> <q> <small> <span> <strong> <sub> <sup> <tt> <ol> <ul> <li> <p> <br>
How can I add <img> to this list? I thought it was using the settings in the "filtered HTML" , I tried that... but it seems to have its own settings.
Comments
#1
You need add it to the filter settings... @see: /admin/settings/filters
#2
Sorry, I wasn't clear... I edited the Filtered HTML, and added the img tag...
That did not apply to the help field... the revised tag does not appear in the help field, and images cannot be placed.
I've attached some images to be clear.
I also tried other tags just to check.. no others work either. Does it work for you?
How can I edit the CCK allowed HTML tags for the help text?
#3
not fixed yet.
#4
Hmm... yes I see now.. This isn't supported in CCK. I'll set it as a feature request... as I agree it should allow normal filter options instead of fixed filter options.
#5
hm.. is there... any other kinda work-around in the mean time? (short of editing the... module... *gulp*)
i kinda need this support for image in the help text... (upgrading from a 5.x site where images were supported...) not sure why that all was changed? alas.
#6
@heather, unforunately not... I suggest you take a peek at _content_filter_xss_allowed_tags() around line 1509 of content.module. The change you need to make is only add 'img' to the array. I need to speak with KarenS and Yched to determine if there is a rhyme and reason to the decision to add this fixed tag list.
#7
thank you, keep me posted :)
#8
hm...
i think i messed something up. this didn't work. i made the change to add the 'img' tag, and got this error when i enabled the module:
Fatal error: Class 'views_handler_filter_float' not found in /path/to/sites/all/modules/cck/includes/content.views.inc on line 187however, when i disabled then re-uploaded the old module, i still get this error.
help?
#9
ah the error came from using the -dev version. it didn't like the change. or my site didn't like the latest dev version.
i was able to make this change with no trouble to the rc version.
but... can i still make the inclusion of 'img' to list of tags a feature request?
#10
IMG tags allows code inclusion or loading/embeding IFRAMEs with arbitrary code - this shouldn't be on a whitelist by default and you should also be VERY careful who have access to save data in your site with such a risky filter. I tend to WON'T FIX.
#11
- Citation needed?
Just because IMG uses SRC doesn't mean arbitrary code can be executed. Worst-case-scenario is a user-tracking web-bug, but that is NOT the same as code inclusion. Do you have any details on this idea?
#12
@hass... ah well.... who has access to the 'help' field in question? someone who can edit CCK content types... therefore we'd assume someone who is trusted. i can't think of a situation where i'd let an anonymous/untrusted user create a content type, or edit a content type.
so is there a kind of built-in security? i think we'd need to consider the context before saying that IMG is risky in this situation.
maybe that is why they opted for a hard-coded filter list, rather than allowing the ability to choose or edit the filter...
#13
@dman: as IMG have a SRC and you are able to add a link to an external site, you are able to add an IFRAME or other stuff like JS into the SRC. Your iframe is then able to add everything and could try to add trojans, JS, etc to your site. This is a real issue as you don't have control what url's your users are adding to new content or not. This will become a XSS hole...
@header: I read the above - that you'd like to add IMG as allowed tags to new user generated content. Maybe I read something wrong... but in such a case if you added IMG to the allowed tags list for content written by users - you are open to an XSS.
#14
@hass.. ah naw, i was looking for a way to allow img to the "help" text..
i made a screen grab so it's more clear.
http://drupal.org/files/issues/help-editing.jpg
#15
@hass
Sorry, that's just false.
IMG tags do not render IFRAMES on any known browser, nor can you game any XSS by sending scripts in place of image binaries.
I can see where you could imagine this possibility, but it doesn't work that way.
You can be worried about the content of the pictures shown in the image :-B, and, like I said, web-bugs, but that's about it.
#16
I added 'img' to the list.
(also in 5.x-1.9)
#17
wo0t! thank you :)
#18
Automatically closed -- issue fixed for two weeks with no activity.
#19
@dman: You can load a full website in a image tag. You simply need to add a link. You can also add any dynamic script to the image tag that make a redirect to arbitrary code and injects code. Load flash in the linked website and so on and so on. By this way I think any tag that allows to load anything from external could be used to do arbitrary stuff. The IMG tag does no mime type check or security checks if the URL it links to - is an image without malicious code.
Aside - you can inject malicious code into an TIF image and other IMG formats... and load malicious code. IE users have attacked in this way in past. If I'm a malicious or ingenuous help text writer who links to images I found around the world - cool - you gave me what I need - now this writer can attack other users. In a view on d.o. I think you cannot control 300.000 users - or have an eye on all help text writers.
#20
Citation needed.
<img src="http://badguy.url/" /><img src="http://badguy.url/exploit.js" /><img src="http://badguy.url/exploit.swf" />Those attempts do not render and do not execute. The files may travel across the wires, but they do not enter the browser sandbox, let alone allow XSS.
Inaccurately pointing an img tag at a website URL is not the same thing as 'loading a full website'. It just breaks.
Script in image tages (or any element) is a different issue, and that's stripped out in a different part of the filter.
There was historically a potential buffer overflow described as being possible in some badly implemented image handlers, yes, but that's not at all the same thing as XSS, or even scripting. The web would be a much scarier place than it already is if you actually believe that looking at a picture can do arbitrary malicious stuff. How do you surf?
#21
How about this example http://www.builderau.com.au/news/soa/Unpatched-IE-flaw-allows-remote-att....
#22
Yep, a fellow says he has discovered a way to make IE6 pre-SP2 crash by sending it a bad jpeg.
You know how many ways there were to make IE6 crash? Finding another is no big deal.
The jump from "falls over" (big deal) to "place unexpected code in a buffer overflow" (which looks like what the unproven speculation is in that article) to "run any arbitrary code in the web by linking to it" (which is your claim) is just too huge.
I conceded that bad image handlers have been known to fail, but that is (as you said above) an Aside.
Is that the only example you could find to back up these wild claims?
I'll say again. That's not true.
#23
Automatically closed -- issue fixed for two weeks with no activity.
#24
Thank you so much for #6! When I also upgraded to 5.x - 1.10 the
<font>tag I was using also stopped working. I added per the instruction and it now works again.#25
hi,
IMHO the current situation regarding this "problem" is not optimal.
I am willing to implement a generic setting for cck that would allow the user to select a input filter that would be used for these fields.
Would one of the maintainers patch such a change to the main tree or is this not what you want?
#26
I would love to be able to edit the available tags in the cck help text. All it needs is a warning. IMHO there is no need to protect us from ourselves.
#27
Here's a suggested quick modification. This lets me expand the set of allowed tags by setting $conf['content_help_allowed_tags'] in settings.php
Index: modules/cck/content.module
===================================================================
--- modules/cck/content.module (revision 18866)
+++ modules/cck/content.module (working copy)
@@ -1755,7 +1755,7 @@
* List of tags allowed by content_filter_xss().
*/
function _content_filter_xss_allowed_tags() {
- return array('a', 'b', 'big', 'code', 'del', 'em', 'i', 'ins', 'pre', 'q', 'small', 'span', 'strong', 'sub', 'sup', 'tt', 'ol', 'ul', 'li', 'p', 'br', 'img');
+ return variable_get('content_help_allowed_tags', array('a', 'b', 'big', 'code', 'del', 'em', 'i', 'ins', 'pre', 'q', 'small', 'span', 'strong', 'sub', 'sup', 'tt', 'ol', 'ul', 'li', 'p', 'br', 'img'));
}
#28
Subscribing.
#37
I thought the issue has been fixed long time ago. New issues should go into new cases.