New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Allow html but not script, head and html tags in notes widget #4898 #5006

Merged
merged 4 commits into from Nov 26, 2016

Conversation

Projects
None yet
4 participants
@laf
Member

laf commented Nov 16, 2016

Please note

Please read this information carefully. You can run ./scripts/pre-commit.php to check your code before submitting.

Fixes: #4898

Strips out html/body and script tags.

@laf laf added the Bug 🐞 label Nov 16, 2016

@LibreNMS-CI

This comment has been minimized.

LibreNMS-CI commented Nov 16, 2016

Auto-Deploy finished, Test PR at http://5006.ci.librenms.org or https://5006.ci.librenms.org

@laf

This comment has been minimized.

Member

laf commented Nov 20, 2016

bump

@murrant

This comment has been minimized.

Member

murrant commented Nov 21, 2016

How about whitelist instead of blacklist?

<p>, <ul>, <ol>, <li>, <strong>, <em>, <pre>, <code>, <blockquote>, <cite> or even better something like this: http://htmlpurifier.org/

@laf

This comment has been minimized.

Member

laf commented Nov 23, 2016

Changed now. Using htmlpurifier in the display() function.

I've tested the pages which currently use display().

@LibreNMS-CI

This comment has been minimized.

LibreNMS-CI commented Nov 23, 2016

Auto-Deploy finished, Test PR at http://5006.ci.librenms.org or https://5006.ci.librenms.org

@murrant

This comment has been minimized.

Member

murrant commented Nov 23, 2016

Use the autoloader so it only gets loaded when needed:

require $install_dir . '/lib/htmlpurifier-4.8.0-lite/library/HTMLPurifier.auto.php';

Also, it seems to fail badly when iconv isn't present. The docs said you only need iconv when the string isn't utf-8. I couldn't figure out how to fix that...

@laf

This comment has been minimized.

Member

laf commented Nov 23, 2016

I'll have to come back to this one as I'm working on something else at the moment.

What fails for you?

@laf

This comment has been minimized.

Member

laf commented Nov 25, 2016

Updated

@LibreNMS-CI

This comment has been minimized.

LibreNMS-CI commented Nov 25, 2016

Auto-Deploy finished, Test PR at http://5006.ci.librenms.org or https://5006.ci.librenms.org

@scrutinizer-notifier

This comment has been minimized.

scrutinizer-notifier commented Nov 25, 2016

The inspection completed: No new issues

@laf laf merged commit 78f5c26 into librenms:master Nov 26, 2016

2 checks passed

Auto-Deploy Build finished.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@laf laf deleted the laf:issue-4898 branch Nov 26, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment