[kupu-dev] Getting through the HTML Filter of the Kupu editor by saving in HTML source mode
Alex Man
alexman at seas.ucla.edu
Tue Jul 15 22:19:40 CEST 2008
Duncan,
Thanks for the reply! I've already submitted a ticket for the bug at
http://dev.plone.org/plone.
At 03:54 AM 7/15/2008, Duncan Booth wrote:
>Alex Man <alexman at seas.ucla.edu> wrote:
>
> > --=====================_5065187==.ALT
> > Hi kupuers,
> >
> > I was wondering about how secure the HTML Filter in Kupu is so I did
> > the following little experiment:
> > * By default, the <font> element isn't allowed in both the Kupu
> > HTML Filter and safe_html in Zope
> > * Added "font" to the list of valid_tags in safe_html in Zope so
> > that the <font> element can be rendered
> > * Edited a page in Plone and add the code <font
> > color="blue">test</font> in the HTML source mode
> > * Switched back to normal WYSIWYG mode and save
> > * As expected, the <font> tags were removed, leaving the text
> > "test" there * Tried adding the code <font
> > color="blue">test</font> again but
> > this time...
> > * Didn't switch back to the WYSIWYG mode. Instead, click the
> > "Save" button directly in the HTML source mode
> > * And the <font> element got saved this time!
> > Is it how the Kupu HTML Filter is supposed to work? If that is so, is
> > there a way to configure it so that it removes the banned elements in
> > both the WYSIWYG mode and the HTML source mode? I'm using Plone 2.5.5
> > and Kupu 1.4.10. Thanks a lot!
> >
> >
> > Regards,
> >
> > Alex
> > Attachment decoded: untitled-3.txt
> > --=====================_5065187==.ALT
> ><html>
> ><body>
> > Hi kupuers,<br><br>
> > I was wondering about how secure the HTML Filter in Kupu is so I did
> > the following little experiment:
> ><ul>
> ><li>By default, the <font> element isn't allowed in both the Kupu
> > HTML Filter and safe_html in Zope
> ><li>Added "font" to the list of valid_tags in safe_html in
> >Zope
> > so that the <font> element can be rendered
> ><li>Edited a page in Plone and add the code <font
> > color="blue">test</font> in the HTML source mode
> ><li>Switched back to normal WYSIWYG mode and save
> ><li>As expected, the <font> tags were removed, leaving the text
> > "test" there
> ><li>Tried adding the code <font
> > color="blue">test</font> again but this time...
> ><li>Didn't switch back to the WYSIWYG mode. Instead, click the
> > "Save" button directly in the HTML source mode
> ><li>And the <font> element got saved this time!
> ></ul>Is it how the Kupu HTML Filter is supposed to work? If that is so,
> > is there a way to configure it so that it removes the banned elements
> > in both the WYSIWYG mode and the HTML source mode? I'm using Plone
> > 2.5.5 and Kupu 1.4.10. Thanks a lot!<br><br>
>
>No, if it does that it's a bug: it is supposed to apply the filtering
>even if you are in source mode.
>
>OTOH as from Plone 3 the filtering done by kupu and the safe html
>transform in Plone are linked together so anything which escapes kupu's
>filtering will get caught anyway. For earlier Plones this isn't
>automatic but it wouldn't be sensible to tell kupu to filter something
>and not also block it in safe html.
>
>Besides, you can *always* bypass Kupu's filtering, just use a browser
>which doesn't support kupu. The filtering in Kupu is intended as a 'nice
>to have', its the filtering in Plone itself that is supposed to provide
>a modicum of security.
>
>_______________________________________________
>kupu-dev mailing list
>kupu-dev at codespeak.net
>http://codespeak.net/mailman/listinfo/kupu-dev
Regards,
Alex
More information about the kupu-dev
mailing list