New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Custom pages: add option allowing user to enter html #2935
Comments
@shubham-padia the description does have options for adding styles to the text. Are you suggesting we allow to write html apart from this?Also, sanitizing is necessary because though the admin enters but an attacker can easily write a javascript code to add some malicious scripts. So sanitizing is always necessary even if it is in admin section, I feel. |
Yes.
did not quite understand how this is possible unless the attacker is the admin itself. Would be great if you could explain in more detail :) |
I don't think this is the right place to explain. But you should always sanitize your data. Just like you should always store your passwords in DB in encrypted form even though only DBA is supposed to be getting access to DB. :) |
@SaptakS just to clear if any misunderstanding was there, i am taking about HTML sanitization. i.e allowing all html tags inputted by the admin to be displayed |
@shubham-padia I understand. I think any html tag except <script> <iframe> tag is fine I think. @niranjan94 would you like to add any?Also, I think since the formattings such as bold, italics etc do store in html format and shown in the same way without sanitization, then so should be any other html tag. |
Yes the safe filter does exactly that. |
Whether to allow or not to allow, I leave the decision to @mariobehling. I feel we have enough rich editor features so as not to allow separate HTML content. Most of CMS websites also allow only a rich text editor. We can keep an option in future to upload html files or maybe html for system pages. Right now I personally feel it's enough. There are other more important bugs that need to be addressed now. @mariobehling @niranjan94 views? |
@shubham-padia You have both good arguments and yes we really want better pages like what you can see on other services. However, right now there are so many bugs that have a much higher priority than this. I think when we want to build beautiful pages we should come back to this issue to understand which html features we really need. Could we postpone this please? There are features like registration forms, hidden tickets, discounts, email issues that are really essential to get this system up to standard. I would like to focus on these rather than getting max features for nice html pages up and running. |
Sorry to divert from this ticket, but a beautiful html info page does not help if the system has bugs in essential areas. Please help us. Our priorities are here: https://github.com/fossasia/open-event-orga-server/labels/bug |
@mariobehling sounds good. We can focus on this later :) |
@mariobehling @SaptakS @shubham-padia we can also enable use of html tags by using javascript library "Markdown". It is quite flexible and customisable, implemented as a jQuery plug-in and useful in many situations. It is fairly clean and well maintained. |
@Himanshi-Khandelwal we already have summernote lib in our project. We are not looking for adding yet another javascript dependency to this project. All we need is a direct HTML editing functionality alongside the already existing rich text editing provided by summernote. Much like how it's implemented in wordpress. But anyway, this issue is for later. Let the bugs be fixed first. |
|
Current in the pages in the admin section, Text,links etc according to the textbox can be entered, but those do not seem to be sufficient for custom pages.
@mariobehling Your views please ?
The text was updated successfully, but these errors were encountered: