Sanitising HTML

[Guest]

Welcome, Guest. Please login or register.
Did you miss your activation email?

1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[tuatara]

I'm intending to allow HTML in my comments, but I'm wary of introducing XSS vulnerabilities. I was planning to use the HTML Purifier library to sanitise the HTML, but I can't see a MODx event that fires when a new comment is posted. Is there any event that will include posting comments? How difficult would it be to add an event into the Jot code?

Thanks for any help ...

Cheers
Matt

[Uncle68]

Sorry, I don't have the answer to you question, but I just wanted to thank you for the tip! Html Purifier solves problems I was struggling with yesterday.

If we have "recommended tools" section on the forum we should put it there.

[Dr. Scotty Delicious]

I have a modified version of Jot 1.1.3 which uses HTML purifier.
I wrote an extension class for the purifier that also changes <b> tags to <strong>, <i> tags to <em>, and <s>&<strike> tags to <del>.
I set a require for the extension class in jot.class.inc.php and then call the public static function Purify::Clean($_POST['content']);

It uses HTML Purifier 3.1.0, so of course it is PHP 5 only.

I would be happy to share my modifications with you if you are interested.

See it in action at my site: http://scottydelicious.com/

-sD-
Dr. Scotty Delicious, DFPA.

[tuatara]

I would be happy to share my modifications with you if you are interested.

Yes please!

Cheers
Matt

[Dr. Scotty Delicious]

First... Safety!
Make a backup of the folder "/assets/snippets/jot/".
Also, remember that this modification will only work on a server running PHP 5.
PHP 4 will throw fatal errors.

Download my Jot 1.1.3 modifications.

This archive unzips to a folder with the file "jot.class.inc.php". Upload this file to "/assets/snippets/jot/" and overwrite or replace the existing file.
There is also a folder in the archive called "includes". Upload the contents of this folder to "/assets/snippets/jot/includes/".

This is the class I wrote to purify the post as well as the HTML Purifier 3.1.0 library.

I have modified jot.class.inc.php to include my class and use it as a filter. Additionally, I have modified the jot class to send notifications as HTML instead of as plain text. This gives you a greater deal of flexibility in your notification templates.

-sD-
Dr. Scotty Delicious, DFPA.

[davidm]

There is a HTML purifier plugin for MODx, and it has been developped by the author of HTML purifier :
http://htmlpurifier.org/svnroot/htmlpurifier/trunk/plugins/modx.txt

You can also look at this thread :
http://modxcms.com/forums/index.php/topic,6604.0.html

And more recently :
http://htmlpurifier.org/phorum/read.php?3,1866

[tuatara]

There is a HTML purifier plugin for MODx, and it has been developped by the author of HTML purifier :

Yeah, I tried that. But the plugin works on content edited in the manager, and I'm not at all concerned about what is done in the manager. It's specifically comments that concern me, and the plugin won't do anything to those. (Will it? ... unless I'm missing something?)

Cheers
Matt

[tuatara]

I have modified jot.class.inc.php to include my class and use it as a filter. Additionally, I have modified the jot class to send notifications as HTML instead of as plain text. This gives you a greater deal of flexibility in your notification templates.

Thanks Scotty ;-). I have some modifications of my own to Jot so I'll need to merge the two; it'll take me a week or so (I'm taking a break) but I shall report back!

Cheers
Matt

[Dr. Scotty Delicious]

There is a HTML purifier plugin for MODx, and it has been developped by the author of HTML purifier [...]

That's true, but it only fires on OnBeforeDocFormSave.
The trouble is, the appropriate events for purifying HTML only seem to be fired in the Manager
I guess what I should try is invoking OnBeforeDocFormSave from Jot.

Thanks Scotty ;-). I have some modifications of my own to Jot so I'll need to merge the two; it'll take me a week or so (I'm taking a break) but I shall report back!

Cheers
Matt

No problem Matt. I put this together when I was redesigning my site. I thought I was going to provide a WYSIWYG RTE for comments, but I find that HTML Purifiers AutoFormat.AutoParagraph and AutoFormat.Linkify work great, so at this point I am on the fence about adding an RTE.

-sD-
Dr. Scotty Delicious, DFPA.

[Ambush Commander]

Hello Dr. Scotty Delicious,

It's great to see that someone else has stepped up to the plate to have an updated plugin of HTML Purifier for Modx. There is a plugin, but it's somewhat untested as I don't use Modx, and it has problems with HTML Purifier 3.1 (I've got an updated version pending for that).

Would you like me to link to your plugin for Jot on the HTML Purifier home page?

Cheers,
Edward

[Dr. Scotty Delicious]

Hello Dr. Scotty Delicious,

It's great to see that someone else has stepped up to the plate to have an updated plugin of HTML Purifier for Modx. There is a plugin, but it's somewhat untested as I don't use Modx, and it has problems with HTML Purifier 3.1 (I've got an updated version pending for that).

Would you like me to link to your plugin for Jot on the HTML Purifier home page?

Cheers,
Edward

Sure, but it would be good to specifically note that it is not a system wide plugin, but merely a modification of the Jot snippet with a class for purifying the HTML that is passed in by Jot's $comment['content'] variable.

I think what I may do is make another modification of the jot.class.inc.php file to invoke the OnBeforeDocFormSave system event so that a plugin   like yours will work with comments. I might also try to put together a plugin that can purify any form submitted on the front end. That might be better for the Jot upgrade path and also a bit more universal so it can be used with the eForm snippet (or any form in the front end).

-sD-
Dr. Scotty Delicious, DFPA.

[rthrash]

Feel free to modify Jot to your heart's content. Armand is letting the community take over the 096x release and making it more functional for the tens of thousands of sites that will still be running that version will be greatly appreciated. You might want to head on over to the JIRA install and start committing to the project itself, too, once you get it sorted to your liking.

[Dr. Scotty Delicious]

Feel free to modify Jot to your heart's content. Armand is letting the community take over the 096x release and making it more functional for the tens of thousands of sites that will still be running that version will be greatly appreciated. You might want to head on over to the JIRA install and start committing to the project itself, too, once you get it sorted to your liking.

Yeah, no problem.

Well... small problem. I got my Crucible and Fisheye username and password a long time ago. I don't have a clue what it is. can it be reset?

-sD-
Dr. Scotty Delicious, DFPA.

[rthrash]

Yes indeed: http://svn.modxcms.com/jira/secure/ForgotPassword!default.jspa but you'll have to recall your username.

[Dr. Scotty Delicious]

I posted a full featured plugin here: http://modxcms.com/HTML-Purifier-for-Forms-Plugin-2096.html

No Jot hackery needed.

-sD-
Dr. Scotty Delicious, DFPA.