|Issue With JForms and Filters||Mark Dexter||11/4/12 5:00 PM|
Hi all. Sorry for the cross-post, but we have a platform issue posted in the Bug Squad list that I would like to get some platform folks' opinion on.
The link to the Bug Squad list is here: https://groups.google.com/forum/?fromgroups=#!topic/joomlabugsquad/08abfrprbvE
There is also an issue in the 2.5.x tracker here: http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=29613
The issue is that in a JForm XML file, the filter="HTML" appears to filter out all HTML in every case. This is because the filter is created using whitelist with no attributes or tags. So it always filters all HTML.
I'm not sure what the intent for this filter type is. If it is to allow for selective HTML elements to be entered, it seems that we need a way in the XML file to allow for different methods (whitelist vs. blacklist) and to perhaps pass arrays of tags and attributes.
Any help on this issue will be much appreciated.
|Re: Issue With JForms and Filters||Alonzo Turner||11/5/12 8:51 AM|
It is my understanding that if you want to filter HTML for blacklisted elements, then you would use filter="safehtml". There doesn't seem to be a filter for allowing whitelisted HTML. In that case it's filter="raw" or nothing. In the CMS the com_content extension has its own filter that is applied to HTML, and the JForm object itself has an editor item with filter set to raw.
I think this is behaving exactly as it should be. I don't think this is a bug, it's a feature request. I think maybe you're looking for something along the lines of filter="extendedhtml", which would allow some but not all of the blacklisted items. I know that in my experience, safehtml is too restrictive in that it doesn't allow iframes which have become a frequent and easy to implement feature of social networking buttons and widgets.
|Re: [jplatform] Re: Issue With JForms and Filters||Mark Dexter||11/5/12 10:42 AM|
Thank you. That is exactly the information I was looking for. I did a quick test and you are correct. filter="safehtml" uses the default blacklist filtering. So indeed this would be a feature request to add a new enhanced HTML filter type. Thanks again. Mark
|Re: [jplatform] Re: Issue With JForms and Filters||Javier Gómez||11/5/12 5:14 PM|
I have add it to the Google Code-In 2012 Task List maybe someone there can make it:
note: if you don't think that is a task for the Code-In feel free to delete it.--