Block-level tag drop-down not correctly showing/filtering options based on enabled tags [#1825214]

This was reported to me in IRC via xjm. This'll be easier to explain with a screenshot:

As you can see, Filtered HTML is selected, and the list of tags is the following:

<a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd> <br> <p> <img> <pre>

a, em, strong, ul, ol, li are inline elements, covered by the buttons on the toolbar.
pre and p are block-level elements, covered by the drop-down.
br is taken care of by pressing "enter."
img is in the "insert" tab (not pictured)

Missing, however, is the ability to do cite, blockquote, code, dl/dt/dd. And despite there being no hX tags enabled, there are nonetheless h1 -> h5 tags shown in the block-level dropdown. This should not be, as far as I can tell?

Filtered HTML will filter out disallowed tags, so I don't think there's an actual security problem here, but we should not expose things to users that are going to get stripped out when they save the form. Additionally, since there's no way for someone to hand-edit the HTML to manually add in the tags that are missing buttons, I believe the lack of buttons/something for the identified tags here makes this a regression in functionality, and thus a critical bug.

Comment	File	Size	Author
	aloha-screenshot.png	84.6 KB	webchick

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

quicksketch

he/him

CreditAttribution: quicksketch commented 28 October 2012 at 20:11

I looked into this problem and tried to figure out what's going on with the way buttons are initialized. The result... I would say is troubling.

Instead of providing different configurations to Aloha based on each text format, we use *a single, generic, global* configuration for all text formats. Then after the editor is constructed, we use a plugin to hide all the inapplicable buttons.

Here's the code that hides inapplicable buttons:

            if (elementMapping.hasOwnProperty(element) && $.inArray(element, allowedTags) === -1) {
              $('span.ui-button-icon-primary[data-html-tag="' + elementMapping[element] + '"]')
                .closest('button')
                .addClass('aloha-drupal-ui-state-hidden');
            }

This has multiple problems:

- This is only hiding the buttons. It's not informing Aloha's filtering system that those tags are not allowed.
- If we had multiple editors on the page at the same time, there's no scoping on this selector so it would affect all of them.
- It doesn't affect the block format dropdown, as @webchick reports. Because Aloha does not put adequate classes on each of the block format options, we can't use the same "just hide it" approach for block formats.

What *should* happen here is that we should construct different Aloha configurations for each text format and initialize the editor based on the appropriate text format, rather than initializing the editor with a generic profile and then trying to clean it up through a plugin.

Comment #2

quicksketch

he/him

CreditAttribution: quicksketch commented 28 October 2012 at 21:12

Marked #1741260: drupal-plugin.js should also update the p/h1/h2/…/h6/pre dropdown duplicate.

Comment #3

Wim Leers

Ghent 🇧🇪🇪🇺

CreditAttribution: Wim Leers commented 29 October 2012 at 22:22

Just so you know, you can expect a very solid update on this issue tomorrow. I just couldn't wrap it up today :(

Comment #4

Wim Leers

Ghent 🇧🇪🇪🇺

CreditAttribution: Wim Leers commented 30 October 2012 at 23:50

Version:	8.x-2.x-dev	» 7.x-2.x-dev
Assigned:	Unassigned	» Wim Leers
Status:	Active	» Patch (to be ported)

@webchick:

Missing, however, is the ability to do cite, blockquote, code, dl/dt/dd. And despite there being no hX tags enabled, there are nonetheless h1 -> h5 tags shown in the block-level dropdown. This should not be, as far as I can tell?

RE: disallowed tags still being listed: this issue was already a long-known critical bug/TODO: #1741260: drupal-plugin.js should also update the p/h1/h2/…/h6/pre dropdown. I didn't work on it earlier because back then it wasn't clear yet if this was going to be the final UI.

This has now been fixed: http://drupalcode.org/project/aloha.git/commit/f4a6386.

RE: code: the docs say that Aloha core's "format" plug-in supports the <code> tag, but in practice this is unfortunately not the case. Reported upstream: https://github.com/alohaeditor/Aloha-Editor/issues/783.
RE: dl/dt/dd: there's no direct Aloha plug-in available for this, but should be easy enough to add. Reported upstream: https://github.com/alohaeditor/Aloha-Editor/issues/784.
RE: cite/blockquote. This one has a less clear answer.
1. <cite> isn't being tested yet by _aloha_calculate_allowed_html() (which was only introduced recently: #1815246: Stop relying on filter_get_allowed_tags_by_format(), figure out which tags & attributes are allowed through blackbox testing). I've now added this: http://drupalcode.org/project/aloha.git/commit/a7d45d1.
2. Aloha's format plug-in doesn't really support it: https://github.com/alohaeditor/Aloha-Editor/issues/785.
3. http://aloha-editor.org/guides/plugin_cite.html does support this explicitly. However, it uses Aloha's "sidebar" UI which we are explicitly disabling/not using. It is possible to override the cite plug-in to not use the sidebar, but to use an <input type="text" /> in the "main" toolbar UI. However, that's suboptimal use of our time because Aloha's moving away from that UI implementation to a different one that will make all of that much easier: #1789240: Ensure Aloha Editor UI can be *always* present, not only when actively editing ("static toolbar", prevents flashing).

Filtered HTML will filter out disallowed tags, so I don't think there's an actual security problem here, but we should not expose things to users that are going to get stripped out when they save the form.

Correct: there's no security problem (and that's intentional: Aloha Editor/any JS can do crazy, evil things, and it'll all still be safe for end users who just read the resulting content). And of course: agreed.

@quicksketch:

I looked into this problem and tried to figure out what's going on with the way buttons are initialized. The result... I would say is troubling.

Instead of providing different configurations to Aloha based on each text format, we use *a single, generic, global* configuration for all text formats. Then after the editor is constructed, we use a plugin to hide all the inapplicable buttons.

This has multiple problems:

- This is only hiding the buttons. It's not informing Aloha's filtering system that those tags are not allowed.
- If we had multiple editors on the page at the same time, there's no scoping on this selector so it would affect all of them.

What *should* happen here is that we should construct different Aloha configurations for each text format and initialize the editor based on the appropriate text format, rather than initializing the editor with a generic profile and then trying to clean it up through a plugin.

In short: I couldn't agree more. A better solution has been possible for a while, I just hadn't gotten around to doing that yet. That's done now. You'll like this much better :)

Please see #1806492-1: Make the 'Drupal' plug-in for AE obsolete or at least significantly easier to maintain.

- It doesn't affect the block format dropdown, as @webchick reports. Because Aloha does not put adequate classes on each of the block format options, we can't use the same "just hide it" approach for block formats.

Correct. But I'll take the blame for that one, Aloha shouldn't. See the first sentence I replied to @webchick.
Plus, I've also fixed that :)

Looking forward to your continued feedback, @quicksketch! :)

When porting this to D7, port:
- http://drupalcode.org/project/aloha.git/commit/f4a6386
- http://drupalcode.org/project/aloha.git/commit/a7d45d1