fix: Allow html but not script, head and html tags in notes widget #4898 #5006

Merged
merged 4 commits into from Nov 26, 2016

Projects

None yet

4 participants

@laf
Member
laf commented Nov 16, 2016

Please note

Please read this information carefully. You can run ./scripts/pre-commit.php to check your code before submitting.

Fixes: #4898

Strips out html/body and script tags.

@laf laf fix: Allow html but not script, head and html tags in notes widget
aff564c
@laf laf added the Bug label Nov 16, 2016
@laf
Member
laf commented Nov 20, 2016

bump

@murrant
Contributor
murrant commented Nov 21, 2016

How about whitelist instead of blacklist?

<p>, <ul>, <ol>, <li>, <strong>, <em>, <pre>, <code>, <blockquote>, <cite> or even better something like this: http://htmlpurifier.org/

laf added some commits Nov 23, 2016
@laf laf Merge branch 'master' of github.com:librenms/librenms into issue-4898 2e66837
@laf laf updated display() function to use htmlpurifier library
c3d4fc7
@laf
Member
laf commented Nov 23, 2016

Changed now. Using htmlpurifier in the display() function.

I've tested the pages which currently use display().

@murrant
Contributor
murrant commented Nov 23, 2016

Use the autoloader so it only gets loaded when needed:

require $install_dir . '/lib/htmlpurifier-4.8.0-lite/library/HTMLPurifier.auto.php';

Also, it seems to fail badly when iconv isn't present. The docs said you only need iconv when the string isn't utf-8. I couldn't figure out how to fix that...

@laf
Member
laf commented Nov 23, 2016

I'll have to come back to this one as I'm working on something else at the moment.

What fails for you?

@laf laf updated to use auto
2ac182f
@laf
Member
laf commented Nov 25, 2016

Updated

@scrutinizer-notifier

The inspection completed: No new issues

@laf laf merged commit 78f5c26 into librenms:master Nov 26, 2016

2 checks passed

Auto-Deploy Build finished.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@laf laf deleted the laf:issue-4898 branch Nov 26, 2016
@VimCommando VimCommando added a commit to VimCommando/librenms that referenced this pull request Jan 4, 2017
@laf @VimCommando laf + VimCommando fix: Allow html but not script, head and html tags in notes widget #4898 558ef10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment