HTML Filter Removing tag attributes
budda - July 26, 2006 - 17:34
I'm using the HTML Filter and TInyMCE to control what HTML content gets published on a site.
When centring images via TinyMCE it wraps a <div style="text-align: center"></div> around them. Adding the tag to the allowed list works.
When viewing a node the <div></div> is in the HTML, but it has stripped out the 'style' attribute. Is there a way to prevent this - without having to all full HTML for the users?
README
In the documentation contained within the TinyMCE module, you will find directions on how to deal with this.
Basically, you have not fully installed & configured TinyMCE :)
You should have an Input Format associated with TinyMCE that does not an HTML Filter (or line breaks either). The buttons you place in TinyMCE control the HTML that can be used.
Hmm. I hoped that by adding
Hmm. I hoped that by adding the corresponding HTML tags to the filter list I could still control what people entered. The reason being that I also include the HTML button in TinyMCE so that authors can tweak content as required when TinyMCE gets messy.
I guess I'll just need to use Full HTML after all them.
Where in install text?
I am also having this problem and the install text doesn't address the issue.
I set up a Rich Text input format, and it's configured to allow the div tag. But the problem isn't the tag itself, but rather its attributes. So the end result is the allowance of the div tag itself, but stripped away all of its attributes.
Therefore (div style="text-align: center") gets converted to just (div).
Problem Solved
The TinyMCE install text and the Drupal description of Input Formats are not very clear. Drupal implies that Input Format control code at the tag level, but in the case of TinyMCE, it is the attributes that are infact being filtered. So your div tags are accepted, but without any attributes.
To correct this problem, navigate to Settings, Input Formats. Select to configure your input format and deselect the HTML filter.
Solved???
You're joking syquest?!?
So the problem is that a user wants to use the html filter to filter out any unwanted tags and also allow some "valid" tags to have attributes such as style. Unfortunately though, the html filter strips the style attribute "for security reasons". Let me see if I understand the solution right, remove the html filter so all tags & all attributes are allowed...
Hmm, so how is that a more secure solution? Am I missing something here?
There seems to be a good reason for this
I was a bit frustrated by this problem to begin with. I'd ideally like some less priviledged authors to be able to use FCKeditor but still filter their HTML.
However, a bit of Googling revealed the following:
http://www.tagendtag.com/node/716
Apparently, some daft browsers allow JavaScript to be executed within CSS - so it would be a genuine security risk to allow style attributes through. This is annoying, but it seems our spleen should be vented at the makers of IE, not Drupal.
--
Mark
flet.org
can anyone answere to budda's question ?
Good remark. I googled for an entire day, but ..nothing.. until now. I just guesed what is described in the link you posted above, but I was not sure (drupal's "filtered html" input mode strips the style atribute from every tag). Thank's for that explicit link, wiggleroom .
Anyway, for the knowledge, can anyone answere to budda's question ?
Where gets the style atrribute stripped, in what function, from what file? Does anybody know?
... Maybe function _filter_xss_attributes($attr) from filter.module file !?
I have searched in the drupal source but not figure it out yet since I am not a good php programmer
Thanks and sory if my english was bad
later edited:
I found this links later.
http://www.cwrl.utexas.edu/book/export/html/927 (I think this helps too )
http://api.drupal.org/api/function/filter_xss/5
and i think that drupal's core module "filter" should be more explicit in his configuration page about the stripping of style attribute.
So other users of drupal, like me too, should not loose an entire day to post content and edit and activate and deactivate filters again and again to see that something's not working right and hardly find out after one day that
the style atribute get's stripped from every tag in filtered html
Improve style-stripping filter?
...surely it should be possible to modify the style-stripping filter so it only throws out javascript-containing styles?
Mark
flet.org
you could look at the HTML
you could look at the HTML Purifier module. Use it instead of the regular HTML filter. It pulls out badness, but leaves your friendly styles in place.
html purifier is great! thank
html purifier is great!
thank you for this suggestion!
HTML Filter strips tags from style
Hi there.
HTML Filter strips properties from within the Style tag.
This write-up details how to configure FCKEditor to work around the HTML Filter issue.
http://drupal.fckeditor.net/filters
Don't know if the same is possible TinyMCE.