It would be great to have a way of editing the blacklist in wysiwyg_filter_get_elements_blacklist without having to modify the code or maybe embed shouldn't be blacklisted as it is used to insert flash (in fckeditor).

Comments

markus_petrux’s picture

Status: Active » Closed (won't fix)

We should provide a method to ensure anything not blacklisted has the correct format, it does not contain anything that could cause harm, etc.

Embed (and Object) HTML tags are not easy to parse, and that's why I did not implement those, hence included in the hardcoded blacklist.

The alternative is to use an input format filter that provides a macro of some sort that can be used to embed videos, flash, etc.

greg.harvey’s picture

I actually think this is a good idea:
http://drupal.org/node/847512#comment-3663370

miiimooo’s picture

Doesn't exist though so I think most people will just use Full HTML and not care about security.. my $0.02

rv0’s picture

It would be great if we could edit the blacklisted elements.
Embedding uploaded .flv media with the Wysiwyg editor is something a lot of professional clients request frequently.
Now we just have to give them Full HTML

miiimooo’s picture

I think I understand your security concerns but at the same time we do give people full HTML instead and then there's also PHP etc. The right way to do this would be either a special permission but even that doesn't make sense as Input formats are linked to roles anyway..

miiimooo’s picture

Status: Closed (won't fix) » Needs review
StatusFileSize
new3.7 KB

I have rolled a patch that allows the administrator to configure which elements of the hard-coded blacklist should be allowed. This adds a new collapsed fieldset to the end of the filter configuration form called "Un-blacklist".

I hope it makes it clear enough that this is a security issue. Would it be possible to include this patch?

markus_petrux’s picture

Status: Needs review » Closed (won't fix)

Sorry, your patch is equivalent to granting access to Full HTML because when you allow an HTML element you're not validating its format, so you're opening the door to any use of that element.

To properly address this request, all non blacklisted elements should be properly validated. But that means adding more complexity to this module, which is something I won't do. There are other similar modules that may cover this kind of cases. Check out htmlLawed or HTML Purifier.

miiimooo’s picture

To explain: I'm using this module on a dozen of sites to selectively strip out html tags and attributes that would otherwise mess up the layout CSS. It's excellent at this! I've tried the two other ones before but it's just not the same.

rv0’s picture

I agree with miiimooo: it makes more sense to allow some tags and WARN about its implications clearly.

tstackhouse’s picture

I'd like to add my 2¢ here as well. This would be a much better option to explicitly warn about the implications when using these tags rather than outright banning them. This module seems perfectly suited to my needs otherwise.