15 March 2009, 1:34

Hi. I'm trying to disable the execution of HTMLPurifier when administrators modifty webpages. So far, I've figured out how to keep clean_text() from running when administrators hit the "save changes" button when Editing site pages. No problem there.

But the real problem is this: I need administrators to be able to use the HTML Source Editor to make those changes. Now, I can't figure out for the life of me how the HTML Source Editor invokes the HTML Purifier. I notice that, on hitting "Update", data is passed via a json packet (or whatever you call it) to wysiwyg.php, which calls clean_text(). But, it seems that bypassing clean_text() has no effect! Weird!

Is there anything else in the WYSIWYG editor code that I'm missing? I'd be grateful for any insights into what's happening with the WYSIWYG editor regarding HTML sanitization.

Many thanks!

15 March 2009, 17:28

Hi - it's quite likely that TinyMCE thinks it's "helping" by stripping things it thinks are a security problem - there's probably a setting for it that you can turn off. Probably best to check out the TinyMCE documentation, then add the appropriate config details to the smarty() function in lib/web.php, where TinyMCE is configured.

25 March 2009, 15:09

I know this is a horrible work-around, but I have just been pasting my code for things like flash content from toufee.com right into the site_content in the database.  Not a long-term solution but it works for me right now.

You know I have been a Plone user for years, and they have a third party product called CMFContent Panels.  I like the Mahara views, partly because they remind me of the layout system for that Plone add-on.  The reason I say this is that the text box panel in Plone lets you add just about any kind of code in there.  Very powerful for the admin person.  If we have a no-purified text box type that only allowed a system admin or maybe a special group membership of authorized people, that would solve 90% of the issues.  You could then add whoever you wanted and violators could be removed from the group.  Or you could just hold on to those rights for yourself or very select few.

Come to mention it, that "raw text box" type could be implemented without a fancy editor too. You only need to drop that type of content into a part of a page layout anyway, so use the other normal types around it as usual... 

Peace,

Jamie

 

25 March 2009, 18:51

I guess it's a possibility - but I would much rather see the signature system for HTMLPurifier built up to be more useful before doing anything that would allow admins to compromise the security we're fighting for.

About as far as I think we should go is allowing site admins to post unfiltered content, after all they're the admins. I certainly don't think they should be able to hand that permission on any further - unless they can hack it in the code, in which case they probably know what they're doing