[kupu-dev] Getting through the HTML Filter of the Kupu editor by saving in HTML source mode
Alex Man
alexman at seas.ucla.edu
Tue Jul 15 00:04:40 CEST 2008
Hi kupuers,
I was wondering about how secure the HTML Filter in Kupu is so I did
the following little experiment:
* By default, the <font> element isn't allowed in both the Kupu
HTML Filter and safe_html in Zope
* Added "font" to the list of valid_tags in safe_html in Zope so
that the <font> element can be rendered
* Edited a page in Plone and add the code <font
color="blue">test</font> in the HTML source mode
* Switched back to normal WYSIWYG mode and save
* As expected, the <font> tags were removed, leaving the text "test" there
* Tried adding the code <font color="blue">test</font> again but
this time...
* Didn't switch back to the WYSIWYG mode. Instead, click the
"Save" button directly in the HTML source mode
* And the <font> element got saved this time!
Is it how the Kupu HTML Filter is supposed to work? If that is so, is
there a way to configure it so that it removes the banned elements in
both the WYSIWYG mode and the HTML source mode? I'm using Plone 2.5.5
and Kupu 1.4.10. Thanks a lot!
Regards,
Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://codespeak.net/pipermail/kupu-dev/attachments/20080714/4298de96/attachment.htm
More information about the kupu-dev
mailing list