Sanitizing rich text input - need help

[Valery]

Hello, everybody.

I decided to give my users a rich text editor (CLEditor). How do I sanitize the input without ruining the HTML markup?

$sanitizer->textarea(...) works just as expected--it strips out all the formatting. I would like to keep it but remove tags like <script> and other potentially dangerous items (?)

It there a reliable approach to rich text sanitization?

Thank you in advance for your ideas, help, hints and links.

[diogo]

You're in luck

http://modules.processwire.com/modules/markup-htmlpurifier/

[Valery]

Geez! Thanks, man That's exactly what I was looking for!

Also: turns out, the editor itself does the job of converting <'s and >'s into < and >

[ryan]

Also: turns out, the editor itself does the job of converting <'s and >'s into < and >

Don't count on the editor though. Make sure you are sanitizing at the server side with HTML Purifier. Rich text editors like TinyMCE and CKEditor don't do any server-side sanitization (they can't, since they are JS apps). So while it may look like they are sanitizing and validating, they can be bypassed easily. 

[BFD Calendar]

Is it possibly to sanitize only one tag? I want to include a textarea in a template without the paragraph formatting, but keeping all other formatting and links.

What I want is "Here's a template that includes text from a <textarea> within the template text"

What I don't want is "Here's a template that includes text from a

<textarea>

within the template text"

[ryan]

Sorry I really don't understand the question. But if you needed to sanitize one part and not another, I'd think you'd have to extract it before sanitizing it? You might also want to look into the HTML Purifier options as they do provide a lot of ways you can modify its behavior. For instance, you might be able to configure it to ignore some tags and not others, etc. 

[BFD Calendar]

The HTML Purifier looks like an OK option.

But.... the 'MarkupHTMLPurifier' folder is in site/modules but it doesn't show up in the list of modules after a 'check for new modules'.

So

$purifier = $modules->get('MarkupHTMLPurifier');
$purifier->set('HTML.ForbiddenAttributes', 'p');

results in 'Error:     Call to a member function set() on a non-object'

By the way, I also have 'RandomImages.module' in my site/modules not showing up in the list either. Others work fine after uploading them to site/modules. Unzipped on the server so there should be no ftp errors.

[ryan]

Did you install the modules manually, or via ModulesManager (or the new built-in installer?). Double check that the module files are named correctly. I have had this exact problem when I downloaded a couple of module files manually, and OS X felt the need to add an extra ".module" at the end of them, i.e. "MarkupHTMLPurifier.module.module". Of course, that's an invalid module name format and ProcessWire didn't recognize it. Took me a little while to realize they had an extra ".module" at the end of the filenames. 

[BFD Calendar]

I installed them manually. Uploaded the zip file and expanded it there, removed "-master" from the folder name. There are no extra file extensions.

Let me (hopefully) install the Module Manager and see if that helps.

Edit: ModuleManager doesn't show up either

What about the 'built-in installer? I'm in ProcessWire 2.3.0.

Edited November 11, 2013 by BFD Calendar

[adrian]

Not sure why the modules aren't showing up, but you might try deleting module related files in site/assets/cache folder and see if that helps. As for the built-in installer - you'll need a recent dev version for that feature.

Oh yeah - definitely install the modules manager - can't live without that one

[BFD Calendar]

There are two files 'Modules.23ca944d3100b563ecd52f1f9374d4c3.cache' and 'Modules.93208021ee90fbcf7e364f5ed7d1b95d.cache'.

The first one has a list of 110 module names, the second one a list of 6.

Removing them results in 'The server encountered an internal error or misconfiguration and was unable to complete your request'.

Any chance of editing the cache files in a text editor and solve the problem? Or delete them all and re-install, starting with the Modules Manager perhaps....

Edit. I manually edited 'Modules.93208021ee90fbcf7e364f5ed7d1b95d.cache' with the missing module names, and they are all back! Yay.

[adrian]

Glad you got it sorted out I have definitely had a few issues with modules disappearing in the past, but not for quite a while. I am running the latest dev, so I wonder if something was fixed recently. Give it a go - I don't think there is really any reason to stay with the stable release.

[ryan]

Removing them results in 'The server encountered an internal error or misconfiguration and was unable to complete your request'.

You should be able to remove these files and it will immediately re-create them. One represents the list of modules in /wire/modules/ and the other in /site/modules/. You shouldn't ever have to manually edit them (at least I never have). If you got an error after removing the file, that sounds like your file system is not writable (and it was unable to create a new one). This would also explain why it was unable to see new modules. Try enabling debug mode and doing it again, as I'm guessing you'll see an error message about file permissions. You most likely have to do a chmod -R (or the recursive equivalent through your FTP client) to add write access for your web server on /site/assets/. Note that lack of write permission to anything in your /site/assets/ could create any number of other problems too. When ProcessWire creates files in there, it makes sure they are writable. But if you transfer files yourself (via FTP or something else that doesn't include permissions) then you would have to restore such permissions. 

[BFD Calendar]

Thank you. Some group permissions were not writable. Strange because I've been uploading pictures and creating lots of pages that will hold pictures in the near future. It all started with adding one module, if I remember right it might have been 'AutoUpgrade'. It kept showing a message that there was a new version of ProcessWire while there wasn't. Anyway, with 'ModuleManager' I presume the FTP errors will no longer occur.