Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
0 votes
612 views
in Q2A Core by
edited by

Which php file retrieves the posted content?

In my case, I want to see how the content is sanitized and modified.

My goal: I like to remove stuff from HTML that is posted. E.g. style tags such as "line-height" that get into the question/answer when copied from another site.

For now, I am using regex in the ckeditor's javascript to remove some of the style attributes, and yes, you should not do that (thousand times said on stackoverflow...)

 

Q2A version: 1.5.1

1 Answer

0 votes
by

In qa-base.php I found  function qa_sanitize_html that "returns $html after ensuring it is safe, i.e. removing Javascripts and the like - uses htmLawed library"
 


just a test post to add some html + js code, hope it gets cleaned by q2a. I copied the html directly:

... to the left is html with the class qa-waiting
new line:
 

red background with pseudo class


now comes a javascript alert:
that's it for now!

---

source from above:

<SPAN ID="qa-waiting-template" CLASS="qa-waiting">...</SPAN> to the left is html with the class qa-waiting
<br >new line:<br /><br />
<p class="" style="background-color:#FFAAAA">red background with pseudo class</p>
<br />
now comes a javascript alert:
<script type="text/javascript">alert("javascript injection")</script>
<br />
that's it for now!

...