Joomla! Issue Tracker | Joomla! CMS #34518 - [4.0] Expand the allowed list for the HTML sanitiser

NPM Resource Changed ? ?

Fixed in Code Base
29 Jun 2021
Medium
Build: 4.0-dev
# 34518
Diff
dgrammatiko:patch-2

Pending

User tests: Successful: Unsuccessful:

dgrammatiko
14 Jun 2021

Pull Request for Issue # .

Summary of Changes

By default, the sanitiser will remove all the form elements. This PR changes this behaviour so form elements would not disappear (on* events will still be removed).
The list of attributes comes directly from the MDN: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input#attributes

Testing Instructions

Apply the PR
Goto admin dashboard and open the browser console
pass some HTML to the sanitiser and check the result:

Joomla.sanitizeHtml(`<input type="text" onchange="alert('nope')" >`);

Check more attributes and elements (button, select, textarea)

Actual result BEFORE applying this Pull Request

Too strict

Expected result AFTER applying this Pull Request

Less strict

Documentation Changes Required

197d8c2 14 Jun 2021

Expand the allowed list for the HTML sanitiser

dgrammatiko - open - 14 Jun 2021

dgrammatiko - change - 14 Jun 2021

Status

New

⇒

Pending

joomla-cms-bot - change - 14 Jun 2021

Category

⇒

JavaScript Repository NPM Change

ac16f34 14 Jun 2021

Update core.es6.js

dgrammatiko - change - 14 Jun 2021

Labels

Added: NPM Resource Changed ?

1fe402d 14 Jun 2021

Update core.es6.js

RickR2H - comment - 23 Jun 2021

@dgrammatiko I applied the patch and added to the console: Joomla.sanitizeHtml(<input type="text" onchange="alert('nope')" >);
Got the following in return: "<input type="text">"

Is this correct?

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/34518.}

dgrammatiko - comment - 25 Jun 2021

Is this correct?

Yes, the onchange="alert('nope')" is Javascript so correctly was removed by the sanitizer

RickR2H - test_item - 25 Jun 2021 - Tested successfully

RickR2H - comment - 25 Jun 2021

I have tested this item ✅ successfully on 1fe402d

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/34518.}

jwaisner - test_item - 29 Jun 2021 - Tested successfully

jwaisner - comment - 29 Jun 2021

I have tested this item ✅ successfully on 1fe402d

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/34518.}

jwaisner - change - 29 Jun 2021

Status

Pending

⇒

Ready to Commit

jwaisner - comment - 29 Jun 2021

RTC

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/34518.}

wilsonge - change - 29 Jun 2021

Status	Ready to Commit	⇒	Fixed in Code Base
Closed_Date	0000-00-00 00:00:00	⇒	2021-06-29 08:38:03
Closed_By		⇒	wilsonge
Labels	Added: ?

wilsonge - close - 29 Jun 2021

wilsonge - merge - 29 Jun 2021

wilsonge - comment - 29 Jun 2021

Thanks!

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS

[#34518] - [4.0] Expand the allowed list for the HTML sanitiser

Summary of Changes

Testing Instructions

Actual result BEFORE applying this Pull Request

Expected result AFTER applying this Pull Request

Documentation Changes Required

Add a Comment