JFilterInput::_cleanTags

Showing 1-16 of 16 messages
JFilterInput::_cleanTags oasisfleeting 11/2/12 4:44 PM
I'm working on a plugin with a param that is set to allow HTML into one of the params.
When I add this tag into the textarea it's always filtered out.
<a class="addthis_button" href="http://www.addthis.com/bookmark.php?v=300&amp;pubid=ra-5074648507240536"><img src="http://s7.addthis.com/static/btn/v2/lg-share-en.gif" width="125" height="16" alt="Bookmark and Share" style="border:0"/></a>

I stepped through JFilterInput::_cleanTags to see where the data was being stripped out and it happens after this line of code

$this->tagsArray is an empty array so all html elements are filtered.
I am logged in as super user and filtering is set to "No Filtering" for all users. 
The jformfield tag has a filter type of "HTML" and looks like this.

   <field
name="socialButtonCode"
    type="textarea"
    default=""
    cols="40"
    rows="4"
filter="HTML"
    label="PLG_CONTENT_SB_SOCIAL_BUTTON_CODE"
    description="PLG_CONTENT_SB_GRAB_ADDTHIS_OR_SHARETHIS" />

Is this a bug or am I missing something?

joomla 2.5.7

Re: [jbs] JFilterInput::_cleanTags Mark Dexter 11/2/12 4:55 PM
I believe filter='HTML' means you should filter based on the default setting for the group (set in Global Configuration). By default, I believe this is supposed to be black list.

Can you make a simple test case and post it to the issue tracker? It sounds like a bug if it is not allowing any HTML. 

Thanks. Mark



--
You received this message because you are subscribed to the Google Groups "Joomla! bug Squad" group.
To view this discussion on the web visit https://groups.google.com/d/msg/joomlabugsquad/-/UngcqsuJL9YJ.
To post to this group, send email to joomlab...@googlegroups.com.
To unsubscribe from this group, send email to joomlabugsqua...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/joomlabugsquad?hl=en.

Re: [jbs] JFilterInput::_cleanTags oasisfleeting 11/2/12 5:18 PM
I submitted a test case here

The default filtering for super user is no filtering and I've also set all users to No Filtering in my testing.

I accidentally submitted the test case twice and I'm unable to delete the first one. It is missing the vote.xml file required for testing.
Re: [jbs] JFilterInput::_cleanTags oasisfleeting 11/3/12 7:16 AM
In my "Test Instructions" submitted on the tracker, I added the html I was testing with and it actually renders the html output in that area. 
Is that a bug in the trackers filtering also? 
Re: [jbs] JFilterInput::_cleanTags Elin 11/3/12 10:34 AM
It's not a bug, it is the expected behavior on the web for html to be rendered as html. 
 


Elin
Re: [jbs] JFilterInput::_cleanTags Elin 11/3/12 10:48 AM
Sorry posted without being finished.

I think the html filter is not going to be overridden by raw, it is going to just use the html filter plus the black list as Mark mentioned.

Elin
Re: [jbs] JFilterInput::_cleanTags oasisfleeting 11/3/12 1:50 PM
No, I successfully performed an xss injection in the text instructions portion of the tracker.
I just edited it again now and the html does not render so either a fix was made between when I submitted the instructions and now or the bug still exists and I just can't duplicate it. 
But thanks anyway.
unk...@googlegroups.com 11/3/12 1:52 PM <This message has been deleted.>
Re: [jbs] JFilterInput::_cleanTags oasisfleeting 11/3/12 2:31 PM
What does that mean? When using the html filter the $this->tagsArray variable is empty in JFilterInput::_cleanTags.
The default filtering for super users in No Filtering.

I don't know what you are talking about when you say "html filter being overridden by raw".
Re: JFilterInput::_cleanTags oasisfleeting 11/3/12 3:53 PM
I've confirmed this behavior in joomla 3.0 as well.
Re: JFilterInput::_cleanTags oasisfleeting 11/4/12 6:03 AM
HTML is apparently not a valid filter type.
I stepped through the code when saving a plugin. The HTML param in jfilterinput is NOT the filters to be used. The correct filters to use are in JForm::filterField
RULES, 
UNSET, 
RAW (this filter will allow html),
INT_ARRAY, 
SAFEHTML (this filter will allow html),
SERVER_UTC, 
USER_UTC,
URL,
TEL

Then there is a default case in the switch which will pass on the filter to the JFilterInput::getInstance()->clean($value, $filter); and all html will be filtered by default regardless of passing in $filter='HTML' in this function. 






On Friday, November 2, 2012 6:44:24 PM UTC-5, oasisfleeting wrote:
Re: JFilterInput::_cleanTags oasisfleeting 11/4/12 6:26 AM
I believe I have identified the bug.
In libraries/joomla/form/form.php JForm::filterfield

In the default switch case the instance of JFilterInput is being called like so
$return = JFilterInput::getInstance()->clean($value, $filter);
When in fact it should be called like so
$return = JFilterInput::getInstance(null, null, 1, 1)->clean($value, $filter);
By not passing the 1,1 into the function you're setting JFilterInput to filter by whitelist instead of the default blacklist. So if the user has not entered in a whitelist of safe html then everything is filtered.

Here is the param list for the JFilterInput constructor.
/**
* Constructor for inputFilter class. Only first parameter is required.
*
* @param   array    $tagsArray   List of user-defined tags
* @param   array    $attrArray   List of user-defined attributes
* @param   integer  $tagsMethod  WhiteList method = 0, BlackList method = 1
* @param   integer  $attrMethod  WhiteList method = 0, BlackList method = 1
* @param   integer  $xssAuto     Only auto clean essentials = 0, Allow clean blacklisted tags/attr = 1
*
* @since   11.1
*/

And here is the signature

public function __construct($tagsArray = array(), $attrArray = array(), $tagsMethod = 0, $attrMethod = 0, $xssAuto = 1)
Re: [jbs] JFilterInput::_cleanTags Elin 11/4/12 5:08 PM
You have specified the html filter in your field. Having a less restrictive filter as the default for the group is not going to override that, that filter in the field is going to override the less restrictive one. 

Elin
Re: JFilterInput::_cleanTags Elin 11/4/12 5:25 PM
So the filtering is acting as expected but the question is ... would you want to by default check a black list that most people have not set and is blank by default.  It would certainly be an interesting filter that uses a blank black list :). On the whole Joomla is going to by default be extremely  strong in the assumption that all user input is malevolent.  Therefore it is up to the developer to make a conscious decision to increase risk, it is not something that the core is going to be responsible for. Not knowing what your plugin does, I think you might want to require users to add to the white list.

Elin
Re: [jbs] Re: JFilterInput::_cleanTags Admin 11/4/12 7:11 PM
The filtering is working as expected if you consider filter="HTML" to be an invalid value for the filter attribute.
--
You received this message because you are subscribed to the Google Groups "Joomla! bug Squad" group.
To view this discussion on the web visit https://groups.google.com/d/msg/joomlabugsquad/-/lAYm6VYP3zYJ.

To post to this group, send email to joomlab...@googlegroups.com.
To unsubscribe from this group, send email to joomlabugsqua...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/joomlabugsquad?hl=en.

Re: JFilterInput::_cleanTags Elin 11/5/12 12:04 PM
Actually the blacklist is not blank by default, it does include a basic list of tags.

Elin