[kupu-dev] Getting through the HTML Filter of the Kupu editor by saving in HTML source mode
Duncan Booth
duncan.booth at suttoncourtenay.org.uk
Tue Jul 15 12:54:34 CEST 2008
Alex Man <alexman at seas.ucla.edu> wrote:
> --=====================_5065187==.ALT
> Hi kupuers,
>
> I was wondering about how secure the HTML Filter in Kupu is so I did
> the following little experiment:
> * By default, the <font> element isn't allowed in both the Kupu
> HTML Filter and safe_html in Zope
> * Added "font" to the list of valid_tags in safe_html in Zope so
> that the <font> element can be rendered
> * Edited a page in Plone and add the code <font
> color="blue">test</font> in the HTML source mode
> * Switched back to normal WYSIWYG mode and save
> * As expected, the <font> tags were removed, leaving the text
> "test" there * Tried adding the code <font
> color="blue">test</font> again but
> this time...
> * Didn't switch back to the WYSIWYG mode. Instead, click the
> "Save" button directly in the HTML source mode
> * And the <font> element got saved this time!
> Is it how the Kupu HTML Filter is supposed to work? If that is so, is
> there a way to configure it so that it removes the banned elements in
> both the WYSIWYG mode and the HTML source mode? I'm using Plone 2.5.5
> and Kupu 1.4.10. Thanks a lot!
>
>
> Regards,
>
> Alex
> Attachment decoded: untitled-3.txt
> --=====================_5065187==.ALT
><html>
><body>
> Hi kupuers,<br><br>
> I was wondering about how secure the HTML Filter in Kupu is so I did
> the following little experiment:
><ul>
><li>By default, the <font> element isn't allowed in both the Kupu
> HTML Filter and safe_html in Zope
><li>Added "font" to the list of valid_tags in safe_html in
>Zope
> so that the <font> element can be rendered
><li>Edited a page in Plone and add the code <font
> color="blue">test</font> in the HTML source mode
><li>Switched back to normal WYSIWYG mode and save
><li>As expected, the <font> tags were removed, leaving the text
> "test" there
><li>Tried adding the code <font
> color="blue">test</font> again but this time...
><li>Didn't switch back to the WYSIWYG mode. Instead, click the
> "Save" button directly in the HTML source mode
><li>And the <font> element got saved this time!
></ul>Is it how the Kupu HTML Filter is supposed to work? If that is so,
> is there a way to configure it so that it removes the banned elements
> in both the WYSIWYG mode and the HTML source mode? I'm using Plone
> 2.5.5 and Kupu 1.4.10. Thanks a lot!<br><br>
No, if it does that it's a bug: it is supposed to apply the filtering
even if you are in source mode.
OTOH as from Plone 3 the filtering done by kupu and the safe html
transform in Plone are linked together so anything which escapes kupu's
filtering will get caught anyway. For earlier Plones this isn't
automatic but it wouldn't be sensible to tell kupu to filter something
and not also block it in safe html.
Besides, you can *always* bypass Kupu's filtering, just use a browser
which doesn't support kupu. The filtering in Kupu is intended as a 'nice
to have', its the filtering in Plone itself that is supposed to provide
a modicum of security.
More information about the kupu-dev
mailing list