tinyMCE styles lost after posting

Jan 22, 2013 at 9:06 AM

Hi,

As far as tinyMCE editor, there is a limitaions when posting a message with different text color, font style or size. All style is removed when message gets posted. Is it the way it is supossed to work ? Is it cut by the CSS ?

Thanks

Vince

Coordinator
Jan 22, 2013 at 12:34 PM

Hi Vince,

This is a very "sensitive" subject :)

I took the decision to use HTML for posts and sanitize it (keep the dangerous stuff)... including the style attribute... It is a "whitelist security" approach and the idea was to avoid XSS attacks and styling spam but probably it can be too limiting for some cases...

It should clean the styles but not the class, that means that (ideally) the site admin can decide which classes to allow.

That is one thing (1). There are several way to improve this and we should be really open for discussion on this (what about Markdown?).

 

Other thing (2) is that while I was trying to explain this, I tested and I found out that even using the "styles" drop down list from the tinymce the class get removed while sanitized... this is a bug (the other is not).

 

Sorry for the long reply... What did you mean? about the bug or the other?

Kind Regards,

Jorge

Jan 22, 2013 at 1:27 PM

Hi Jorge,

Honestly, I didn't try and found any bug. I thought there was a restriction as you mentioned.
Is there any way to bypass and get the full html post from tinymce?
Txs
Vince

Coordinator
Jan 22, 2013 at 2:04 PM

Hi,

Short answer, no...

Reason: To prevent XSS attacks (very, very, very common on online sites).

 

Anyway, I'll try to work on a fix for the "remove class attribute" issue that we unintentionally found :D

Kind regards,

Jorge

Jan 22, 2013 at 4:40 PM

Hi Jorge,

The forum I have created is for internal use only. I understand public forum have to be protected from XSS attacks. To access to forum user must login and I know all users (arounfd 30), sure they are not web hackers.

What do you think ?

regards