Filters out URLs no matter what you put into the filter settings.

This module filters out urls like background-image: url(http://example.com/image.jpg) no matter what you put in the "allowed URLs" box, because it tosses out anything with a non-standard protocol, and url(http isn't an allowed protocol. Since this module has it's own xss protocol filter, I patched this bug by allowing the protocols 'url(http', 'url("http', 'url(https', and 'url("https'.

Comment	File	Size	Author
#1	wysiwyg_filter-363284-1.patch	1.59 KB	markus_petrux
#1
	fix_url_removed_by_xss_bad_protocol.patch	1.14 KB	jamuraa

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

markus_petrux’s picture

Comment #1

markus_petrux CreditAttribution: markus_petrux commented 23 January 2009 at 19:44

File	Size
wysiwyg_filter-363284-1.patch	1.59 KB

Would you mind trying this one?

Function wysiwyg_filter_xss_bad_protocol() is not altered, but the caller is fixed instead.

Log in or register to post comments

Comment #2

jamuraa CreditAttribution: jamuraa commented 23 January 2009 at 20:44

This patch tests fine for me as well, and is the correct way to solve this issue, I should have done it this way.

Log in or register to post comments

markus_petrux’s picture

Comment #3

markus_petrux CreditAttribution: markus_petrux commented 24 January 2009 at 14:28

Status:

Needs review

» Reviewed & tested by the community

I'll commit this as soon as possible. Thanks

Log in or register to post comments

markus_petrux’s picture

Comment #4

markus_petrux CreditAttribution: markus_petrux commented 18 February 2009 at 16:08

Status:

Reviewed & tested by the community

» Fixed

Fixed in CVS.

Log in or register to post comments

markus_petrux’s picture

Comment #5

markus_petrux CreditAttribution: markus_petrux commented 18 February 2009 at 16:08

Status:

Fixed

» Closed (fixed)

Log in or register to post comments