I´m using htmlPurifier to prevent XSS Attacks from users and everything works ok on input type="text" fields. But, when i try to clean tinyMCE textareas seems like htmlPurifier don´t work, ex.:
Simple input text field
Input.:
<script>alert("XSS")</script>Cleaning Test
Output: Cleaning Test
tinyMCE TEXTAREA
Input.:
<script>alert("XSS")</script>
Output: <script>alert("XSS")</script>
Did i miss something ? Why htmlPurifier work on a simple input text and with tinyMCE textarea don´t ?
Ps.: Magic Quotes are Off
I think i found what was wrong.
tinyMCE automatically encode entities such:
< into <
> into >
" into "
& into &
I tried to use diferent types of entity_encoding on tinyMCE but none of them seems to work as i want, so i used PHP: html_entity_decode to decode tinyMCE text area and then i used htmlPurifier to sanitize the data and everything works ok now.
Hope someone else find this usefull.
You will need to call tinymce.triggerSave() in order to write the tinymce content back to the tinymce source element (can be a textarea) before the purifier can work.
Related
I have a custom button that insert some HTML in the editor
First block of code is the button action and the second one is how the HTML is inserted
Any idea why it is rewriting it that way and how to stop it?
I just managed to fix it, in the init function:
valid_children : 'pre[code]'
TinyMCE includes the ability to insert code samples into the editor via its Code Sample plugin:
https://www.tinymce.com/docs/plugins/codesample/
If you want to try to do this yourself you need to do a few things like using the protect configuration option to tell TinyMCE to allow your PHP tags. See this TinyMCE Fiddle for a basic example:
http://fiddle.tinymce.com/Qdgaab
I have a TYPO3 which strips any <p> tags from content I create when the RTE editor is enabled for the field in question before it saves it in the DB. And it seems I cannot find a way to disable this behavior with a TypoScript. As soon as I disable the RTE editor I can save <p> tags and they get correctly rendered in the frontend. They also get correctly rendered in the frontend when I simply add them directly in the database in the tt_content table in the bodytext field.
When I switch to the edit source mode of the RTE I see all <p> tags in place. Before and after a save (also they never make it to the DB) so it looks like they get converted to (linux) line breaks or something and get converted back to <p> tags when the editor loads them in the backend. But those line breaks of course have no effect to in the frontend.
I thought this behavior would be controlled by RTE.default.proc but everything there looks good to me (p is already in the allowed tags and there is no clue why it could be stripped). I've also tried to disable the RTE.default.proc.entryHTMLparser_db and RTE.default.proc.exitHTMLparser_db as I wouldn't mind it if the HTML content as you see it in the edit source mode of the RTE (so with RTE still enabled!) would not be touched at all - in fact I would prefer it - but this had no effect. On the other hand when I add tags to the allowed tags which weren't there before (like <button>) this works so the things I try to add to RTE.default.proc aren't ignored in general.
So how can I stop TYPO3 from stripping my <p> tags from RTE content or touching it at all? I'd prefer a solution with TypoScript but meanwhile I would also be happy about an ugly hack in a sys extension as long as it works...
I'm not sure if this is a bug or not but the solution to my problem lies in p.rmTagIfNoAttrib = 1. At least in my TYPO3 version (v6.1.7 and nearly only built in extensions) I cannot find this setting in the preset TypoScript of the page or the RTE editor so I'm guessing it defaults to 0. In my logic 0 means false so I'd say the default would read as "remove tag if there is no attribute?: no!".
However TYPO3 seems to work after its own logic. Adding the following statement to the page TS sloves my problem and <p> tags are preserved:
RTE.default.proc {
entryHTMLparser_db {
tags {
p.rmTagIfNoAttrib = 1
}
}
}
The reasons for this behavior are explained in the TYPO3 manual:
Many of the transformations performed back and forth in the TYPO3 backend date back to when it was a challenge to incorporate a RTE in a browser. It was then sometimes needed to fall back an a simple <textarea> where rich text had to be presented in a simple enough way so that editors could work with it with no visual help.
Tinymce editor is not rendering editor properly when the content is something like
<textarea><p><sample data></p></textarea>
i.e. <sample data>.
When I initialize a TinyMCE editor here, I dont see anything as it looks like it assumes <sample data> is an HTML tag.
Please assume I have tinymce.js loaded and I initilize using tinymce.init.
Is there a fix for this? Please let me know if it is a server side fix, or is there a tinymce.init option I could give to fix this problem.
PS: It does look like this is an HTML Entity encoding related issue but I am hardly an expert in this area.
Have a look at the tinymce config parameter entity_encoding.
If this does not work you may use this workaround
// save content
var saved_content = document.getElementById('id_of_my_textarea').innerHTML;
// init the editor
tinyMCE.execCommand('mceAddControl', false, 'id_of_my_textarea');
// after tinymce is fully initialized do
// you should use the tinymce configuration parameter "setup" rather than this code here
tinymce.get('id_of_my_textarea').setContent(saved_content);
When i set the content to 'a\nb' in tinymce, the edit in html shows 'ab', and when i set it again, through console. it shows as
a
b
why could this be happening? and how to fix it?
This might be because of of the cleanup functionality of tinymce. Using html will yield html without tinymce internal elements/attributs and cleaned content.
i am using tinymce with the bbcodes-plugin. In generally, its working nicely, most of the bbcodes like [b] and [color] and so forth are transmitted into html within the textarea and safed as bbcodes into the database correctly.
The thing with font-size is the following, when formating a string the first time it is correctly changing its size and is safed correctly as bbcode into the database.
But when i open that record again to edit it, the bbcode is not converted to html, so in the textarea there is something like
"[size= medium]rfeferf[/size]" instead of the text in the right size.
Do you have any hints on this? Ive been searching the web yesterday and today, didnt find anything that could solve this.
Regards, Maschek
This is caused by BBCode plugin in TinyMCE unable to transform [size] tag back to HTML. I've logged a TinyMCE bug #5327 with a fix patch attached. You can download latest TinyMCE source, apply the patch and compile it (or wait until the patch is reviewed and released).
The related source code is located at plugins/bbcode/editor_plugin_src.js