Question2Answer Q&A - Recent questions tagged user-input

Advanced Content Filter: How to discard STYLE attributes and tags from editor?

Mon, 28 Oct 2013 15:00:48 +0000

When users copy-paste HTML content onto the coeditor, I would like the editor to accept paragraphs only without any attributes or styles.

I tried setting up ckeditor's ACF (advanced content filter) allowedContent config but am having trouble assigning an id to the textarea.

Which file should I edit?

I am using sama55's CKEditor4 plugin.

Permission to modify the questionnaire

Fri, 04 Jan 2013 00:18:56 +0000

I need to set that users after submitting their application can no longer change, I set by the admin "that the user must be registered with email and confirmed with a number of points" by setting to 50000, having 100 points, however, a normal user can change it anyway.

How can I solve this problem? You should not be more able to modify the application after it has been sent.

Thanks to all

Tip: Using htmLawed to filter CSS style attributes from posted content (clean user input)

Mon, 08 Oct 2012 14:58:05 +0000

Following my post on How to modify qa-htmLawed.php to better sanitize/clean html posts I would like to share how to sanitize posted CSS styles.

The class and id attributes you can filter by using the config parameter of htmLawed:
$config['deny_attribute'] = 'class, id';
as it has beend described here: Stricter HTML Sanitizing in q2a by changing htmLawed config parameters

Now the big task was to filter style attributes that are unwanted by the admin, e.g. margin-top:200px; or the like.

The developer of htmLawed was so nice to help me out. I implemented the css filter function in qa-base.php:

1. go to function qa_sanitize_html_hook_tag.

2. There before $html='<'.$element; (line 734) you add the following code:

// only allow certain css style elements
if (isset($attributes['style'])) {
   $css = explode(';', $attributes['style']);
   $style = array();
   foreach ($css as $v) {
       if (($p = strpos($v, ':')) > 1 && $p < strlen($v)) {
           $prop_name = trim(substr($v, 0, $p));
           $prop_val = trim(substr($v, $p+1));
           if ($prop_name == 'color' || $prop_name == 'background-color' || $prop_name == 'font-weight' || $prop_name == 'text-decoration' || $prop_name == 'width') {
               $style[] = "$prop_name: $prop_val";
           };
       };
   };
   if (!empty($style)){
       $attributes['style'] = implode('; ', $style);
   }
   else {
       unset($attributes['style']);
   };
};
// end

Result: All posted content and read content from the database that hold css styles apart from {color,background-color,font-weight,text-decoration,width} get filtered!

You can, of course, add your own whiteliste styles!

PS: The performance is not effected much "only ~10%-15% (to an overall time of ~16 ms in my setup)." thanks @patnaik

Result (example):

Tip: Stricter HTML Sanitizing in q2a by changing htmLawed config parameters

Sun, 07 Oct 2012 11:51:20 +0000

I thought I share my changes to make html posts in q2a more secure by stricter sanitizing the data.

In qa-include/qa-base.php from line 705 you find the config for html sanitization:

$safe=htmLawed($html, array(
   'safe' => 1,
   'elements' => '*+embed+object',
   'schemes' => 'href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; *:file, http, https; style: !; classid:clsid',
   'keep_bad' => 0,
   'anti_link_spam' => array('/.*/', ''),
   'hook_tag' => 'qa_sanitize_html_hook_tag',
));

This allows 86 html elements, see doc here.
@gidgreen: why do you actually add +embed+object to the list, they are already included.

My new strict version is the following:

$safe=htmLawed($html, array(
   'safe' => 1,
   // only allow the following html tags
   'elements' => 'img, a, p, br, span, b, strong, i, em, u, sub, sup, strike, table, caption, tbody, tr, td',
   // only allow ftp, http, https in anchors - no need for classid's attr clsid
   'schemes' => 'href: ftp, http, https; *:file, http, https; style: !',
   'keep_bad' => 0,
   'anti_link_spam' => array('/.*/', ''),
   'hook_tag' => 'qa_sanitize_html_hook_tag',
    // do not allow class and id, they get removed
'deny_attribute' => 'class, id',
));

Note: My CKEditor is quite reduced in functionality (less buttons), so this code might not suit you. However, I thought one or the other could use it.

Helpful:
1. Configuring htmLawed using the $config parameter
2. How to modify qa-htmLawed.php to better sanitize/clean html posts

How to modify qa-htmLawed.php to better sanitize/clean html posts

Thu, 20 Sep 2012 06:21:52 +0000

As I am new to htmLawed I have got 5 newbie question regarding the sanitization of certain HTML tags.

Question n°1:

In q2a, file qa-htmLawed.php on line 20 we have:

$e = array('a'=>1, 'abbr'=>1, 'acronym'=>1, 'address'=>1, 'applet'=>1, 'area'=>1, 'b'=>1, 'bdo'=>1, 'big'=>1, 'blockquote'=>1, 'br'=>1, 'button'=>1, 'caption'=>1, 'center'=>1, 'cite'=>1, 'code'=>1, 'col'=>1, 'colgroup'=>1, 'dd'=>1, 'del'=>1, 'dfn'=>1, 'dir'=>1, 'div'=>1, 'dl'=>1, 'dt'=>1, 'em'=>1, 'embed'=>1, 'fieldset'=>1, 'font'=>1, 'form'=>1, 'h1'=>1, 'h2'=>1, 'h3'=>1, 'h4'=>1, 'h5'=>1, 'h6'=>1, 'hr'=>1, 'i'=>1, 'iframe'=>1, 'img'=>1, 'input'=>1, 'ins'=>1, 'isindex'=>1, 'kbd'=>1, 'label'=>1, 'legend'=>1, 'li'=>1, 'map'=>1, 'menu'=>1, 'noscript'=>1, 'object'=>1, 'ol'=>1, 'optgroup'=>1, 'option'=>1, 'p'=>1, 'param'=>1, 'pre'=>1, 'q'=>1, 'rb'=>1, 'rbc'=>1, 'rp'=>1, 'rt'=>1, 'rtc'=>1, 'ruby'=>1, 's'=>1, 'samp'=>1, 'script'=>1, 'select'=>1, 'small'=>1, 'span'=>1, 'strike'=>1, 'strong'=>1, 'sub'=>1, 'sup'=>1, 'table'=>1, 'tbody'=>1, 'td'=>1, 'textarea'=>1, 'tfoot'=>1, 'th'=>1, 'thead'=>1, 'tr'=>1, 'tt'=>1, 'u'=>1, 'ul'=>1, 'var'=>1); // 86/deprecated+embed+ruby

Do I have to change 1 to 0 to disallow certain elements? → No, you use the config parameters for that, no need to change the source of qa-htmlawed.php!

Question n°2: How can I remove all style="..." attributes but allowed ones?

Question n°3: Are empty style-elements removed automatically?

Question n°4: How can class="" and id="" attributes be removed completely (what settings do we need)?

Question n°5: How can we remove empty tags, such as <b></b> or <p></p>?

Has somebody used htmLawed to clean user input in q2a?

Sun, 16 Sep 2012 12:31:54 +0000

As I saw q2a uses htmLawed to clean user input.

As some of my users copy and paste from other sites, I get class and id attributes (as well as span tags with different css-styles) posted with the content that I want to remove.

I tried fixing pasted css styles with ckeditor that was working quite well (but not 100% satisfactory).

Now I'd like to know if somebody used htmLawed's features to clean user input. Any experience would be helpful!

PS: Maybe the removal of class and id attributes can be implemented in the next release of q2a?