This was reported to me in IRC via xjm. This'll be easier to explain with a screenshot:
As you can see, Filtered HTML is selected, and the list of tags is the following:
<a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd> <br> <p> <img> <pre>
a, em, strong, ul, ol, li are inline elements, covered by the buttons on the toolbar.
pre and p are block-level elements, covered by the drop-down.
br is taken care of by pressing "enter."
img is in the "insert" tab (not pictured)
Missing, however, is the ability to do cite, blockquote, code, dl/dt/dd. And despite there being no hX tags enabled, there are nonetheless h1 -> h5 tags shown in the block-level dropdown. This should not be, as far as I can tell?
Filtered HTML will filter out disallowed tags, so I don't think there's an actual security problem here, but we should not expose things to users that are going to get stripped out when they save the form. Additionally, since there's no way for someone to hand-edit the HTML to manually add in the tags that are missing buttons, I believe the lack of buttons/something for the identified tags here makes this a regression in functionality, and thus a critical bug.
Comment | File | Size | Author |
---|---|---|---|
aloha-screenshot.png | 84.6 KB | webchick |
Comments
Comment #1
quicksketchI looked into this problem and tried to figure out what's going on with the way buttons are initialized. The result... I would say is troubling.
Instead of providing different configurations to Aloha based on each text format, we use *a single, generic, global* configuration for all text formats. Then after the editor is constructed, we use a plugin to hide all the inapplicable buttons.
Here's the code that hides inapplicable buttons:
This has multiple problems:
- This is only hiding the buttons. It's not informing Aloha's filtering system that those tags are not allowed.
- If we had multiple editors on the page at the same time, there's no scoping on this selector so it would affect all of them.
- It doesn't affect the block format dropdown, as @webchick reports. Because Aloha does not put adequate classes on each of the block format options, we can't use the same "just hide it" approach for block formats.
What *should* happen here is that we should construct different Aloha configurations for each text format and initialize the editor based on the appropriate text format, rather than initializing the editor with a generic profile and then trying to clean it up through a plugin.
Comment #2
quicksketchMarked #1741260: drupal-plugin.js should also update the p/h1/h2/…/h6/pre dropdown duplicate.
Comment #3
Wim LeersJust so you know, you can expect a very solid update on this issue tomorrow. I just couldn't wrap it up today :(
Comment #4
Wim Leers@webchick:
RE: disallowed tags still being listed: this issue was already a long-known critical bug/TODO: #1741260: drupal-plugin.js should also update the p/h1/h2/…/h6/pre dropdown. I didn't work on it earlier because back then it wasn't clear yet if this was going to be the final UI.
This has now been fixed: http://drupalcode.org/project/aloha.git/commit/f4a6386.
<code>
tag, but in practice this is unfortunately not the case. Reported upstream: https://github.com/alohaeditor/Aloha-Editor/issues/783.<cite>
isn't being tested yet by_aloha_calculate_allowed_html()
(which was only introduced recently: #1815246: Stop relying on filter_get_allowed_tags_by_format(), figure out which tags & attributes are allowed through blackbox testing). I've now added this: http://drupalcode.org/project/aloha.git/commit/a7d45d1.<input type="text" />
in the "main" toolbar UI. However, that's suboptimal use of our time because Aloha's moving away from that UI implementation to a different one that will make all of that much easier: #1789240: Ensure Aloha Editor UI can be *always* present, not only when actively editing ("static toolbar", prevents flashing).Correct: there's no security problem (and that's intentional: Aloha Editor/any JS can do crazy, evil things, and it'll all still be safe for end users who just read the resulting content). And of course: agreed.
@quicksketch:
In short: I couldn't agree more. A better solution has been possible for a while, I just hadn't gotten around to doing that yet. That's done now. You'll like this much better :)
Please see #1806492-1: Make the 'Drupal' plug-in for AE obsolete or at least significantly easier to maintain.
Correct. But I'll take the blame for that one, Aloha shouldn't. See the first sentence I replied to @webchick.
Plus, I've also fixed that :)
Looking forward to your continued feedback, @quicksketch! :)
When porting this to D7, port:
- http://drupalcode.org/project/aloha.git/commit/f4a6386
- http://drupalcode.org/project/aloha.git/commit/a7d45d1
Comment #5
Wim LeersI ran into undefined index errors only after publishing the above; fixed now: http://drupalcode.org/project/aloha.git/commit/6ec3b3d.