Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
+2 votes
977 views
in Q2A Core by
closed by

I thought I share my changes to make html posts in q2a more secure by stricter sanitizing the data.

In qa-include/qa-base.php from line 705 you find the config for html sanitization:

$safe=htmLawed($html, array(
    'safe' => 1,
    'elements' => '*+embed+object',
    'schemes' => 'href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; *:file, http, https; style: !; classid:clsid',
    'keep_bad' => 0,
    'anti_link_spam' => array('/.*/', ''),
    'hook_tag' => 'qa_sanitize_html_hook_tag',
));

 

This allows 86 html elements, see doc here.
@gidgreen: why do you actually add +embed+object to the list, they are already included.

My new strict version is the following:

$safe=htmLawed($html, array(
    'safe' => 1,
    
// only allow the following html tags
    'elements' => 'img, a, p, br, span, b, strong, i, em, u, sub, sup, strike, table, caption, tbody, tr, td',
    
// only allow ftp, http, https in anchors - no need for classid's attr clsid
    'schemes' => 'href: ftp, http, https; *:file, http, https; style: !',
    'keep_bad' => 0,
    'anti_link_spam' => array('/.*/', ''),
    'hook_tag' => 'qa_sanitize_html_hook_tag',

    // do not allow class and id, they get removed
    'deny_attribute' => 'class, id',   
));

 

Note: My CKEditor is quite reduced in functionality (less buttons), so this code might not suit you. However, I thought one or the other could use it.

Helpful:
1. Configuring htmLawed using the $config parameter
2. How to modify qa-htmLawed.php to better sanitize/clean html posts

Q2A version: 1.5.3
closed with the note: done
...