Skip to content

Loading…

Bug 759212: allow more HTML attributes in content. #237

Merged
merged 1 commit into from

2 participants

@nickolay

Allow attributes commonly used on tables in dekiwiki, such as the one on
https://developer.mozilla.org/en/DOM/DOM_event_reference

https://bugzilla.mozilla.org/show_bug.cgi?id=759212

@groovecoder groovecoder commented on the diff
apps/wiki/models.py
@@ -57,12 +57,12 @@
ALLOWED_ATTRIBUTES['a'] = ['style', 'id', 'class', 'href', 'title', ]
ALLOWED_ATTRIBUTES.update(dict((x, ['style', 'name', ]) for x in
('h1', 'h2', 'h3', 'h4', 'h5', 'h6')))
-ALLOWED_ATTRIBUTES.update(dict((x, ['id', ]) for x in (
+ALLOWED_ATTRIBUTES.update(dict((x, ['id', 'style', 'class']) for x in (
@groovecoder Mozilla member

allowing style scares me - too open for security exploits? e.g., http://html5sec.org/#9

how vital is it?

@groovecoder it's already allowed for headings per the line just above the one I changed, so I'm not sure why it shouldn't be allowed everywhere. I don't know how vital is it, though, but I do know that deki allows it.

@groovecoder Mozilla member

sounds like it's widely used. and bleach has a tight regex on the attribute values that should prevent javascript exploits.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@groovecoder groovecoder merged commit 931f7e4 into mozilla:master
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on May 28, 2012
  1. @nickolay

    Bug 759212: allow more HTML attributes in content.

    nickolay committed
    Allow attributes commonly used on tables in dekiwiki, such as the one on
    https://developer.mozilla.org/en/DOM/DOM_event_reference
This page is out of date. Refresh to see the latest.
Showing with 3 additions and 3 deletions.
  1. +3 −3 apps/wiki/models.py
View
6 apps/wiki/models.py
@@ -57,12 +57,12 @@
ALLOWED_ATTRIBUTES['a'] = ['style', 'id', 'class', 'href', 'title', ]
ALLOWED_ATTRIBUTES.update(dict((x, ['style', 'name', ]) for x in
('h1', 'h2', 'h3', 'h4', 'h5', 'h6')))
-ALLOWED_ATTRIBUTES.update(dict((x, ['id', ]) for x in (
+ALLOWED_ATTRIBUTES.update(dict((x, ['id', 'style', 'class']) for x in (
@groovecoder Mozilla member

allowing style scares me - too open for security exploits? e.g., http://html5sec.org/#9

how vital is it?

@groovecoder it's already allowed for headings per the line just above the one I changed, so I'm not sure why it shouldn't be allowed everywhere. I don't know how vital is it, though, but I do know that deki allows it.

@groovecoder Mozilla member

sounds like it's widely used. and bleach has a tight regex on the attribute values that should prevent javascript exploits.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
'p', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'code', 'dl', 'dt', 'dd',
'section', 'header', 'footer', 'nav', 'article', 'aside', 'figure',
'dialog', 'hgroup', 'mark', 'time', 'meter', 'command', 'output',
'progress', 'audio', 'video', 'details', 'datagrid', 'datalist', 'table',
- 'address'
+ 'tr', 'td', 'th', 'address'
)))
ALLOWED_STYLES = [
'border', 'float', 'overflow', 'min-height', 'vertical-align',
@@ -73,7 +73,7 @@
'background', # TODO: Maybe not this one, it can load URLs
'background-color',
'font', 'font-size', 'font-weight', 'text-align', 'text-transform',
- '-moz-column-width', '-webkit-columns', 'columns',
+ '-moz-column-width', '-webkit-columns', 'columns', 'width',
]
# Disruptiveness of edits to translated versions. Numerical magnitude indicate
Something went wrong with that request. Please try again.