How to control HTML user input preserving the "style" attributes?
Hello there, I am creating an about_me.module to provide users with a customizable "about me" page. That page is to be very simple: a title field and a textarea for users to write whatever they want. Ideally, users should be able to customize their pages either by writing directly in HTML or by using TinyMCE. The problem that I'm having is that the formatting added by TinyMCE (especially the "style" attributes) are being filtered out by filter.module. An alternative would be to not filter the HTML tags at all, but I'm afraid that would add potential risks to my website. Is there any solution for this problem? What would you recommend? Thanks in advance, Leo
Hi Leo, Maybe you are interested in looking at the usernode or bio modules before you start off with another module with this functionality :) Gabor Leo Burd wrote:
Hello there,
I am creating an about_me.module to provide users with a customizable "about me" page. That page is to be very simple: a title field and a textarea for users to write whatever they want. Ideally, users should be able to customize their pages either by writing directly in HTML or by using TinyMCE.
The problem that I'm having is that the formatting added by TinyMCE (especially the "style" attributes) are being filtered out by filter.module. An alternative would be to not filter the HTML tags at all, but I'm afraid that would add potential risks to my website. Is there any solution for this problem? What would you recommend?
Thanks in advance,
Leo
Hello there, Thanks so much for recommending usernode and bio modules. However, none of those modules addresses the issue of controlling HTML tags with 'style' attributes... Best, Leo ----- Original Message ----- From: "Gabor Hojtsy" <gabor@hojtsy.hu> To: <development@drupal.org> Cc: <support@drupal.org> Sent: Monday, October 23, 2006 10:43 AM Subject: Re: [development] How to control HTML user input preserving the "style" attributes?
Hi Leo,
Maybe you are interested in looking at the usernode or bio modules before you start off with another module with this functionality :)
Gabor
Leo Burd wrote:
Hello there,
I am creating an about_me.module to provide users with a customizable "about me" page. That page is to be very simple: a title field and a textarea for users to write whatever they want. Ideally, users should be able to customize their pages either by writing directly in HTML or by using TinyMCE.
The problem that I'm having is that the formatting added by TinyMCE (especially the "style" attributes) are being filtered out by filter.module. An alternative would be to not filter the HTML tags at all, but I'm afraid that would add potential risks to my website. Is there any solution for this problem? What would you recommend?
Thanks in advance,
Leo
Leo Burd wrote:
Hello there,
I am creating an about_me.module to provide users with a customizable "about me" page. That page is to be very simple: a title field and a textarea for users to write whatever they want. Ideally, users should be able to customize their pages either by writing directly in HTML or by using TinyMCE.
The problem that I'm having is that the formatting added by TinyMCE (especially the "style" attributes) are being filtered out by filter.module. An alternative would be to not filter the HTML tags at all, but I'm afraid that would add potential risks to my website. Is there any solution for this problem? What would you recommend?
Thanks in advance,
Leo
the tinymce docs recommend using full html input format. if you don't want that, just add a while bunch of tags to the allowed tags list for filtered html input format.
"Moshe Weitzman" wrote:
Leo Burd wrote:
Hello there,
I am creating an about_me.module to provide users with a customizable "about me" page. That page is to be very simple: a title field and a textarea for users to write whatever they want. Ideally, users should be able to customize their pages either by writing directly in HTML or by using TinyMCE.
The problem that I'm having is that the formatting added by TinyMCE (especially the "style" attributes) are being filtered out by filter.module. An alternative would be to not filter the HTML tags at all, but I'm afraid that would add potential risks to my website. Is there any solution for this problem? What would you recommend?
Thanks in advance,
Leo
the tinymce docs recommend using full html input format. if you don't want that, just add a while bunch of tags to the allowed tags list for filtered html input format.
Or read the thread you cross-posted to 'Support' (please pick one, first, and then post to the other after some reasonable time if you get no reply). There are already modules which do this. Gabor and I provided you with a few references so that you won't have to waste your time. -- inkfree
Hello Moshe, thanks for your message. I've already added a bunch of tags to the HTML filter, but the filter always removes the "style" attributes of those tags. I believe filter.module does that for security reasons. I'm just trying to figure out an alternative solution for that... Best, Leo ----- Original Message ----- From: "Moshe Weitzman" <weitzman@tejasa.com> To: <development@drupal.org> Sent: Monday, October 23, 2006 11:01 AM Subject: Re: [development] How to control HTML user input preserving the "style" attributes?
Leo Burd wrote:
Hello there,
I am creating an about_me.module to provide users with a customizable "about me" page. That page is to be very simple: a title field and a textarea for users to write whatever they want. Ideally, users should be able to customize their pages either by writing directly in HTML or by using TinyMCE.
The problem that I'm having is that the formatting added by TinyMCE (especially the "style" attributes) are being filtered out by filter.module. An alternative would be to not filter the HTML tags at all, but I'm afraid that would add potential risks to my website. Is there any solution for this problem? What would you recommend?
Thanks in advance,
Leo
the tinymce docs recommend using full html input format. if you don't want that, just add a while bunch of tags to the allowed tags list for filtered html input format.
I believe filter.module does that for security reasons.
The reason why filter.module removes style tags is simple: some dumb browsers allow JavaScript inside stylesheets, for example "font- size:expression(prompt('Enter a font name:', 'Arial'));". Using that you could execute potentially harmful JavaScript code that allows for XSS. Konstantin Käfer – http://kkaefer.com/
On 23 Oct 2006, at 7:13 PM, Konstantin Käfer wrote:
The reason why filter.module removes style tags is simple: some dumb browsers allow JavaScript inside stylesheets, for example "font-size:expression(prompt('Enter a font name:', 'Arial'));". Using that you could execute potentially harmful JavaScript code that allows for XSS.
and using the full html 'filter' lets them do that without having to jump through hoops even.
participants (6)
-
adrian rossouw -
Gabor Hojtsy -
inkfree press -
Konstantin Käfer -
Leo Burd -
Moshe Weitzman