• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
After security library update, xss_clean() messes all editor contents.

#1
[eluser]Twisted1919[/eluser]
As the title say, the new update to the security class, adds a new method call in the xss_clean()( _remove_evil_attributes() ) which practically strips out any style tag that is appended to the HTML content.

For example, i use CKEDITOR, and before this update, i could easily have something like this in the editor:
Code:
<div style="width:400px;float:left">
CONTENT HERE
</div>

But now, the xss filter just removes the style tag so i end up with a lot of broken pages till i realized what is happening and who's fault is(i suspected ckeditor first time)

In order to fix this, i had to use HTML Purifier instead of xss_clean() for the fields where i use a text editor.

I don't really like using HTML Purifier because is a beast on memory usage, but i cannot alter the xss_clean() method because i know the style tag can be dangerous too, so it seems to me, that this is the only way of being able to preserve the HTML content of a page.

Hope this info helps someone else Smile


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.