New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Text filter "Default Blacklist" removes HTML comments - no whitelisting possible #21248
Comments
What is |
You might be able to do it using the tinymce filters |
YOOtheme Pro is a theme and page builder for Joomla!. The data stored in Joomla! articles could look like this: With text filter "Default Blacklist" enabled and after clicking the save button of an article on the frontend the html code looks like this: The HTML comment is completely removed and so is the readmore element - probably as there is nothing left after the readmore element. The problem is that there seems to be no kind of 'tag name' that can be used to whitelist HTML comments. So the only solution to keep the HTML comment seems to be disabling Joomla!'s text filters at all for now (i.e. set to 'no filtering') UPDATE[2018-07-26 00:43]: Maybe |
No HTML comment makes it past this check, no matter the configuration given to the |
Joomla is working as designed and expected |
@brianteeman You are completely right! Joomla! works as expected! Therefore this is not a bug report but a feature request. I am looking for a way to whitelist HTML comments without changing Joomla! Core files. Since it is recommended to use the Default Blacklist for Administrators this is on my mind. Unfortunately I am just some power user of YOOtheme Pro and not its developer. But I have passed this thread to the developers so that they may join that conversation with some suggestions. Thank you for looking into it anyway! |
@mbabker Would you consider the possibility to whitelist HTML comments inside Joomla!'s text filters? Since they are valid HTML tags, there is no reason to blacklist them. |
it is a potential security issue to allow html comments from untrusted users. Hence the restrictions. I am sure you will understand why we wont publicly disclose anything further |
@brianteeman So, it is not about the JSON object that is potential risk but the html comment itself? What in your opinion would be a "safe" tag to place an additional JSON object? I am pretty sure YOOtheme could implement equivalent text filters inside the page builder itself so that this JSON object does not contain unwanted or risky tags. |
If there is some security issue with HTML comments, to be frank, there needs to be a regression test for that in the filter API. There is no commentary or test covering HTML comments to the best of my knowledge. So either it is purposefully excluded by people who are no longer contributing to the project (who would be the only ones to understand the reasoning) or it was never considered in the API's design and adding support is a valid request. |
From my perspective there are several ways to store such data. You could use an attribute of a span, you could store it in a custom field, in a separate table or in an XML structure instead of JSON. If you enable the blacklist, I don't see why we should allow HTML comments in there and thus I would propose to deny this feature request. Admittedly, I'm also requesting this to clean up the tracker. |
@Hackwar HTML comments are valid tags and intended for any metadata (notes, etc.) within the markup. Comment tags are not visually shown and do not interfere with the actual markup. For example other editors like Gutenberg use the comment tags for metadata as well. So why blacklist them at all? |
I agree with @steffans here. Power users would also like to leave their comments in html pages without having them removed. |
I have very little GitHub experience. Thus, if a pull request is something that has to be done by the original author please tell me how to do this. Thank you for discussing this issue anyway! |
Set to "closed" on behalf of @jwaisner by The JTracker Application at issues.joomla.org/joomla-cms/21248 |
Closing this feature request as J3 is not available for feature adds. Please review J4 and request for J4 if this feature is wanted. This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/21248. |
re-opened as its a valid feature request and flagged re-evaluate J4 |
OT: Isn't good idea use comments to store data. Eg. Cloudflare (Proxy + DDOS protection) removes comments. Better use Also "as pro" i don't need comments, because I have prevous versions |
@bato3 In this case the comments store data which is then processed on the server and transformed into a HTML layout. As mentioned before other page/block editors use the same technique for storing layout data. |
Is your feature request related to a problem? Please describe.
Currently the "Default Blacklist" text filter removes YOOtheme Pro JSON data from articles as this data is masked by an HTML comment - probably in order to not be visible inside search results.
This issue can also be viewed here: https://yootheme.com/support/question/120930
The YOOtheme Pro developers don't see any possibility to whitelist HTML comments inside the current text filters.
Describe the solution you'd like
Add a possibility to whitelist HTML comments inside Joomla!'s text filters.
Additional context
Thank you for looking into it!
The text was updated successfully, but these errors were encountered: