|JFilterInput::_cleanTags||oasisfleeting||11/2/12 4:44 PM|
I'm working on a plugin with a param that is set to allow HTML into one of the params.
When I add this tag into the textarea it's always filtered out.
<a class="addthis_button" href="http://www.addthis.com/bookmark.php?v=300&pubid=ra-5074648507240536"><img src="http://s7.addthis.com/static/btn/v2/lg-share-en.gif" width="125" height="16" alt="Bookmark and Share" style="border:0"/></a>
I stepped through JFilterInput::_cleanTags to see where the data was being stripped out and it happens after this line of code
$this->tagsArray is an empty array so all html elements are filtered.
I am logged in as super user and filtering is set to "No Filtering" for all users.
The jformfield tag has a filter type of "HTML" and looks like this.
Is this a bug or am I missing something?
|Re: [jbs] JFilterInput::_cleanTags||Mark Dexter||11/2/12 4:55 PM|
I believe filter='HTML' means you should filter based on the default setting for the group (set in Global Configuration). By default, I believe this is supposed to be black list.
Can you make a simple test case and post it to the issue tracker? It sounds like a bug if it is not allowing any HTML.
|Re: [jbs] JFilterInput::_cleanTags||oasisfleeting||11/2/12 5:18 PM|
I submitted a test case here
The default filtering for super user is no filtering and I've also set all users to No Filtering in my testing.
I accidentally submitted the test case twice and I'm unable to delete the first one. It is missing the vote.xml file required for testing.
|Re: [jbs] JFilterInput::_cleanTags||oasisfleeting||11/3/12 7:16 AM|
In my "Test Instructions" submitted on the tracker, I added the html I was testing with and it actually renders the html output in that area.
Is that a bug in the trackers filtering also?
|Re: [jbs] JFilterInput::_cleanTags||Elin||11/3/12 10:34 AM|
It's not a bug, it is the expected behavior on the web for html to be rendered as html.
|Re: [jbs] JFilterInput::_cleanTags||Elin||11/3/12 10:48 AM|
Sorry posted without being finished.
I think the html filter is not going to be overridden by raw, it is going to just use the html filter plus the black list as Mark mentioned.
|Re: [jbs] JFilterInput::_cleanTags||oasisfleeting||11/3/12 1:50 PM|
No, I successfully performed an xss injection in the text instructions portion of the tracker.
I just edited it again now and the html does not render so either a fix was made between when I submitted the instructions and now or the bug still exists and I just can't duplicate it.
But thanks anyway.
|oasisfleeting||11/3/12 1:52 PM||<This message has been deleted.>|
|Re: [jbs] JFilterInput::_cleanTags||oasisfleeting||11/3/12 2:31 PM|
What does that mean? When using the html filter the $this->tagsArray variable is empty in JFilterInput::_cleanTags.
The default filtering for super users in No Filtering.
I don't know what you are talking about when you say "html filter being overridden by raw".
|Re: JFilterInput::_cleanTags||oasisfleeting||11/3/12 3:53 PM|
I've confirmed this behavior in joomla 3.0 as well.
|Re: JFilterInput::_cleanTags||oasisfleeting||11/4/12 6:03 AM|
HTML is apparently not a valid filter type.
I stepped through the code when saving a plugin. The HTML param in jfilterinput is NOT the filters to be used. The correct filters to use are in JForm::filterField
RAW (this filter will allow html),
SAFEHTML (this filter will allow html),
Then there is a default case in the switch which will pass on the filter to the JFilterInput::getInstance()->clean($value, $filter); and all html will be filtered by default regardless of passing in $filter='HTML' in this function.
|Re: JFilterInput::_cleanTags||oasisfleeting||11/4/12 6:26 AM|
I believe I have identified the bug.
In libraries/joomla/form/form.php JForm::filterfield
In the default switch case the instance of JFilterInput is being called like so
$return = JFilterInput::getInstance()->clean($value, $filter);
When in fact it should be called like so
$return = JFilterInput::getInstance(null, null, 1, 1)->clean($value, $filter);
By not passing the 1,1 into the function you're setting JFilterInput to filter by whitelist instead of the default blacklist. So if the user has not entered in a whitelist of safe html then everything is filtered.
Here is the param list for the JFilterInput constructor.
* Constructor for inputFilter class. Only first parameter is required.
* @param array $tagsArray List of user-defined tags
* @param array $attrArray List of user-defined attributes
* @param integer $tagsMethod WhiteList method = 0, BlackList method = 1
* @param integer $attrMethod WhiteList method = 0, BlackList method = 1
* @param integer $xssAuto Only auto clean essentials = 0, Allow clean blacklisted tags/attr = 1
* @since 11.1
And here is the signature
public function __construct($tagsArray = array(), $attrArray = array(), $tagsMethod = 0, $attrMethod = 0, $xssAuto = 1)
|Re: [jbs] JFilterInput::_cleanTags||Elin||11/4/12 5:08 PM|
You have specified the html filter in your field. Having a less restrictive filter as the default for the group is not going to override that, that filter in the field is going to override the less restrictive one.
|Re: JFilterInput::_cleanTags||Elin||11/4/12 5:25 PM|
So the filtering is acting as expected but the question is ... would you want to by default check a black list that most people have not set and is blank by default. It would certainly be an interesting filter that uses a blank black list :). On the whole Joomla is going to by default be extremely strong in the assumption that all user input is malevolent. Therefore it is up to the developer to make a conscious decision to increase risk, it is not something that the core is going to be responsible for. Not knowing what your plugin does, I think you might want to require users to add to the white list.
|Re: [jbs] Re: JFilterInput::_cleanTags||Admin||11/4/12 7:11 PM|
The filtering is working as expected if you consider filter="HTML" to be an invalid value for the filter attribute.
--To view this discussion on the web visit https://groups.google.com/d/msg/joomlabugsquad/-/lAYm6VYP3zYJ.
|Re: JFilterInput::_cleanTags||Elin||11/5/12 12:04 PM|
Actually the blacklist is not blank by default, it does include a basic list of tags.