User tests: Successful: Unsuccessful:
Pull Request for Issue # .
By default, the sanitiser will remove all the form elements. This PR changes this behaviour so form elements would not disappear (on* events will still be removed).
The list of attributes comes directly from the MDN: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input#attributes
Apply the PR
Goto admin dashboard and open the browser console
pass some HTML to the sanitiser and check the result:
Joomla.sanitizeHtml(`<input type="text" onchange="alert('nope')" >`);
Check more attributes and elements (button, select, textarea)
Too strict
Less strict
Status | New | ⇒ | Pending |
Category | ⇒ | JavaScript Repository NPM Change |
Labels |
Added:
NPM Resource Changed
?
|
Is this correct?
Yes, the onchange="alert('nope')"
is Javascript so correctly was removed by the sanitizer
I have tested this item
I have tested this item
Status | Pending | ⇒ | Ready to Commit |
RTC
Status | Ready to Commit | ⇒ | Fixed in Code Base |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2021-06-29 08:38:03 |
Closed_By | ⇒ | wilsonge | |
Labels |
Added:
?
|
Thanks!
@dgrammatiko I applied the patch and added to the console: Joomla.sanitizeHtml(
<input type="text" onchange="alert('nope')" >
);Got the following in return: "<input type="text">"
Is this correct?
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/34518.