is there a way to allow all tags and attributes? #188
Comments
+1 |
Sorry but no. wysihtml5 has been designed to be used in unsafe environments. Where a white list of tags and attributes is essential. I'm not planning to change this. |
Ok but if I may suggest maybe you should warn users that wysihtml5 will destroy your data as it reformats existing content without warning. So if for example I decide to use it on a site with existing data containing these tags, it will delete tons of tags and damage the data without telling. |
For a quick fix (if you need to remove the parser) go in wysihtml5.js find _initParser: and comment/remove its contents, like so: _initParser: function() { /*this.observe("paste:composer", function() { var keepScrollPosition = true, that = this; that.composer.selection.executeAndRestore(function() { wysihtml5.quirks.cleanPastedHTML(that.composer.element); that.parse(that.composer.element); }, keepScrollPosition); }); this.observe("paste:textarea", function() { var value = this.textarea.getValue(), newValue; newValue = this.parse(value); this.textarea.setValue(newValue); });*/ } |
I don't understand this response at all. There's no such thing as a "safe" client-side environment, since any prohibitive attempts would take all of five seconds to circumvent by manually POSTing to the server. If you want what's going into the database to be "safe" then the only way to do that is to parse and sanitize the HTML on the server side. Great editor, but it's a little silly that it strips style tags, since styling is basically the main purpose of a wysiwyg script. |
Greg-kmg: Consider a kiosk application, or similarly restricted/locked-down public environment. An attack targeting subsequent users of the application need not inject anything into the server; for many kinds of malware it would be sufficient to plant script on the client side. Whether or not the existence of such use-cases warrants mandatory client-side whitelisting for every application isn't for me to say; I'm definitely not a full-time security professional. It should be fairly straightforward to fork wysihtml5 and disable client-side validation, if that's what you need for your application. I believe a lot of developers end up forking this particular widget, for one reason or another. |
Yeah, I just did a little digging and found the style tag parser exception that's been merged. I guess it's just hard for me to imagine an environment where the browser javascript is safe from manipulation. I wonder if it'd be feasible to add the ability for wildcards in the parser rules, along with a way to force allowing certain attributes on all allowed tags. Either way, it's a lovely editor. Just hadn't seen the whitelist-only, strip-everything approach before. |
Hi, first: in check_attributes ... set value "allow" "img": {
"check_attributes": {
"width": "numbers",
"alt": "alt",
"src": "url",
"height": "numbers",
'style': 'allow',
'class': 'allow'
} go into wysihtml5 and replace if (checkAttributes) {
....
} if (checkAttributes) {
for (attributeName in checkAttributes) {
if(checkAttributes[attributeName] == 'allow')
method = 'allow';
else
method = attributeCheckMethods[checkAttributes[attributeName]];
if (!method) {
continue;
}
newAttributeValue = (method == 'allow' ? _getAttribute(oldNode, attributeName) : method(_getAttribute(oldNode, attributeName)));
if (typeof(newAttributeValue) === "string") {
attributes[attributeName] = newAttributeValue;
}
}
} |
line original line: return isString ? wysihtml5.quirks.getCorrectInnerHTML(element) : element; will turn off the parser at all in function parse(elementOrHtml, rules, context, cleanUp) {... just remove parse function |
so this is a HTML WYSIWYG editor that is only fit for a minute subset of HTML out of the box, go you guys! wysihtml5, for those that want their users in the 80's... that does have some ring. Seriously is it not smarter to blacklist script tags |
Having an official option for disabling of the whitelist parser rules would be welcomed, or, a blacklist please. |
I don't want to filter anything, right now it seems like it replace span with divs, remove src values and style attributes. Is there a way to just allow anything?
Thanks
The text was updated successfully, but these errors were encountered: