Closed (won't fix)
Project:
WYSIWYG Filter (D7)
Version:
6.x-1.3
Component:
User interface
Priority:
Normal
Category:
Feature request
Assigned:
Unassigned
Reporter:
Created:
6 Aug 2009 at 16:38 UTC
Updated:
9 Dec 2011 at 16:08 UTC
Jump to comment: Most recent file
Comments
Comment #1
markus_petrux commentedWe should provide a method to ensure anything not blacklisted has the correct format, it does not contain anything that could cause harm, etc.
Embed (and Object) HTML tags are not easy to parse, and that's why I did not implement those, hence included in the hardcoded blacklist.
The alternative is to use an input format filter that provides a macro of some sort that can be used to embed videos, flash, etc.
Comment #2
greg.harveyI actually think this is a good idea:
http://drupal.org/node/847512#comment-3663370
Comment #3
miiimoooDoesn't exist though so I think most people will just use Full HTML and not care about security.. my $0.02
Comment #4
rv0 commentedIt would be great if we could edit the blacklisted elements.
Embedding uploaded .flv media with the Wysiwyg editor is something a lot of professional clients request frequently.
Now we just have to give them Full HTML
Comment #5
miiimoooI think I understand your security concerns but at the same time we do give people full HTML instead and then there's also PHP etc. The right way to do this would be either a special permission but even that doesn't make sense as Input formats are linked to roles anyway..
Comment #6
miiimoooI have rolled a patch that allows the administrator to configure which elements of the hard-coded blacklist should be allowed. This adds a new collapsed fieldset to the end of the filter configuration form called "Un-blacklist".
I hope it makes it clear enough that this is a security issue. Would it be possible to include this patch?
Comment #7
markus_petrux commentedSorry, your patch is equivalent to granting access to Full HTML because when you allow an HTML element you're not validating its format, so you're opening the door to any use of that element.
To properly address this request, all non blacklisted elements should be properly validated. But that means adding more complexity to this module, which is something I won't do. There are other similar modules that may cover this kind of cases. Check out htmlLawed or HTML Purifier.
Comment #8
miiimoooTo explain: I'm using this module on a dozen of sites to selectively strip out html tags and attributes that would otherwise mess up the layout CSS. It's excellent at this! I've tried the two other ones before but it's just not the same.
Comment #9
rv0 commentedI agree with miiimooo: it makes more sense to allow some tags and WARN about its implications clearly.
Comment #10
tstackhouse commentedI'd like to add my 2¢ here as well. This would be a much better option to explicitly warn about the implications when using these tags rather than outright banning them. This module seems perfectly suited to my needs otherwise.