Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#43243] - Turning off filtering for tinymce destroys article layout

No Code Attached Yet
avatar N6REJ
N6REJ
10 Apr 2024

Steps to reproduce the issue

have default text filtering turned
as SU create an article that uses html 5
save article and view it.
turn filtering off and edit same article.
save article
view article again

Expected result

article visual layout will not have changed.

image
image
image

Actual result

display is completely destroyed.

image
image
image

System information (as much as possible)

systeminfo-2024-04-10T08_28_02+00_00.txt

Additional comments

the html code used in the article is as follows

<h2 class="text-danger text-center"><i class="fa fa-shield-alt fa-lg"></i> <b>Security release!</b> <i class="fa fa-shield-alt fa-lg padding-horiz-30"></i></h2>
<div class="accordion accordion-flush" id="accordionFlushExample">
<div class="accordion-item">
<h2 class="accordion-header" id="flush-headingOne"><button class="accordion-button collapsed" type="button" data-bs-toggle="collapse" data-bs-target="#flush-collapseOne" aria-expanded="false" aria-controls="flush-collapseOne"> Vulnerability List </button></h2>
<div id="flush-collapseOne" class="accordion-collapse collapse" aria-labelledby="flush-headingOne" data-bs-parent="#accordionFlushExample">
<div class="apcontents"><!-- PLACE ARTICLE CONTENT FOR VULNERABILITY HERE -->
<dl>
<dt>
<h3 id="CVE-2023-38709">moderate: <name name="CVE-2023-38709">Apache HTTP Server: HTTP response splitting</name> (<a href="https://www.cve.org/CVERecord?id=CVE-2023-38709">CVE-2023-38709</a>)</h3>
</dt>
<dd>
<p>Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses.</p>
<p></p>
<p>This issue affects Apache HTTP Server: through 2.4.58.</p>
<p></p>
<p>Acknowledgements: finder: Orange Tsai (@orange_8361) from DEVCORE</p>
<table class="table">
<tbody>
<tr>
<td class="cve-header">Reported to security team</td>
<td class="cve-value">2023-06-26</td>
</tr>
<tr>
<td class="cve-header">Update 2.4.59 released</td>
<td class="cve-value">2024-04-04</td>
</tr>
<tr>
<td class="cve-header">Affects</td>
<td class="cve-value">&lt;=2.4.58</td>
</tr>
</tbody>
</table>
</dd>
<dt>
<h3 id="CVE-2024-24795">low: <name name="CVE-2024-24795">Apache HTTP Server: HTTP Response Splitting in multiple modules</name> (<a href="https://www.cve.org/CVERecord?id=CVE-2024-24795">CVE-2024-24795</a>)</h3>
</dt>
<dd>
<p>HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack.</p>
<p></p>
<p>Users are recommended to upgrade to version 2.4.59, which fixes this issue.</p>
<p>Acknowledgements:</p>
<ul>
<li>finder: Keran Mu, Tsinghua University and Zhongguancun Laboratory.</li>
<li>finder: Jianjun Chen, Tsinghua University and Zhongguancun Laboratory.</li>
</ul>
<table class="table">
<tbody>
<tr>
<td class="cve-header">Reported to security team</td>
<td class="cve-value">2023-09-06</td>
</tr>
<tr>
<td class="cve-header">Update 2.4.59 released</td>
<td class="cve-value">2024-04-04</td>
</tr>
<tr>
<td class="cve-header">Affects</td>
<td class="cve-value">&lt;=2.4.58</td>
</tr>
</tbody>
</table>
</dd>
<dt>
<h3 id="CVE-2024-27316">moderate: <name name="CVE-2024-27316">Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames</name> (<a href="https://www.cve.org/CVERecord?id=CVE-2024-27316">CVE-2024-27316</a>)</h3>
</dt>
<dd>
<p>HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.</p>
<p>Acknowledgements: finder: Bartek Nowotarski (https://nowotarski.info/)</p>
<table class="table">
<tbody>
<tr>
<td class="cve-header">Reported to security team</td>
<td class="cve-value">2024-02-22</td>
</tr>
<tr>
<td class="cve-header">Update 2.4.59 released</td>
<td class="cve-value">2024-04-04</td>
</tr>
<tr>
<td class="cve-header">Affects</td>
<td class="cve-value">&lt;=2.4.58</td>
</tr>
</tbody>
</table>
</dd>
</dl>
</div>
</div>
</div>
<!-- END VULNERABILITY LIST -->
<div class="accordion-item">
<h2 class="accordion-header" id="flush-headingTwo"><button class="accordion-button collapsed" type="button" data-bs-toggle="collapse" data-bs-target="#flush-collapseTwo" aria-expanded="false" aria-controls="flush-collapseTwo"> Change Log</button></h2>
<div id="flush-collapseTwo" class="accordion-collapse collapse" aria-labelledby="flush-headingTwo" data-bs-parent="#accordionFlushExample">
<div class="accordion-body"><span class="postdetails">Posted: Thu 04 Apr '24 17:05<br />Post subject: Apache httpd 2.4.59 GA Available</span><hr /><span class="postbody">Apache httpd 2.4.59 is released as GA. <br /><br />ASF and Apachelounge changes :<span style="font-weight: bold;"> <a href="https://www.apachelounge.com/Changelog-2.4.html" target="_blank" rel="noopener">https://www.apachelounge.com/Changelog-2.4.html</a> </span> <br /><br /><span style="font-weight: bold;"><span style="color: blue;">Important</span></span> security vulnerabilities are fixed in 2.4.59, see <span style="font-weight: bold;"> <a href="https://httpd.apache.org/security/vulnerabilities_24.html" target="_blank" rel="noopener">https://httpd.apache.org/security/vulnerabilities_24.html</a> </span>. <br /><br /><span style="font-weight: bold;">VS17 Win32</span> <br />The Win32 version is available again, see also discussion <span style="font-weight: bold;"> <a href="https://www.apachelounge.com/viewtopic.php?p=42099" target="_blank" rel="noopener">https://www.apachelounge.com/viewtopic.php?p=42099</a> </span> <br />Only build the with the standard Apache modules. <br />For non-standard modules (like mod_fcgid) use the VS16 Win32 ones at<span style="font-weight: bold;"> <a href="https://www.apachelounge.com/download/VS16/" target="_blank" rel="noopener">https://www.apachelounge.com/download/VS16/</a> </span> <br /><br />Documentation:<span style="font-weight: bold;"> <a href="http://httpd.apache.org/docs/2.4/" target="_blank" rel="noopener">http://httpd.apache.org/docs/2.4/</a> </span> <br /><br />Build with dependencies: <br /><br />- openssl 3.1.5 <br />- nghttp2 1.61.0 <br />- jansson 2.14 <br />- curl 8.7.1 <br />- apr 1.7.3 <br />- apr-util 1.6.3 <br />- apr-iconv 1.2.2 <br />- zlib 1.3.1 <br />- brotli 1.1.0 <br />- pcre2 10.43 <br />- libxml2 2.12.6 <br />- lua 5.4.6 <br />- expat 2.5.0 <br /><br /><span style="font-weight: bold;">Notes VS17 OpenSSL 3.x.x:</span> <br /><br />- <span style="font-weight: bold;">Only PHP 8.2 and 8.1</span> (build with 3.x.x) is running as module. <br /><span style="font-weight: bold;"><span style="color: green;">Running with mod_fcgid no issues seen</span></span>. <br /><br />For running as module, See also the post from <span style="font-weight: bold;">user Otomatic and notes </span> at<span style="font-weight: bold;"> <a href="https://www.apachelounge.com/viewtopic.php?t=8969" target="_blank" rel="noopener">https://www.apachelounge.com/viewtopic.php?t=8969</a> <br /></span> and<span style="font-weight: bold;"> <a href="https://www.apachelounge.com/viewtopic.php?t=8938" target="_blank" rel="noopener">https://www.apachelounge.com/viewtopic.php?t=8938</a> <br /></span> <br />- With too weak certificates/ciphers Apache does not start, see<span style="font-weight: bold;"> <a href="https://www.apachelounge.com/viewtopic.php?t=8819" target="_blank" rel="noopener">https://www.apachelounge.com/viewtopic.php?t=8819</a> </span> <br /><br /><br />Enjoy, <br /><br />Steffen</span><span class="gensmall"></span><!-- END CHANGELOG  --></div>
</div>
</div>
<div class="accordion-item">
<h2 class="accordion-header" id="flush-headingThree"><button class="accordion-button collapsed" type="button" data-bs-toggle="collapse" data-bs-target="#flush-collapseThree" aria-expanded="false" aria-controls="flush-collapseThree"> Release Files</button></h2>
<div id="flush-collapseThree" class="accordion-collapse collapse" aria-labelledby="flush-headingThree" data-bs-parent="#accordionFlushExample">
<div class="accordion-body"><!-- RELEASE FILES LINK(S) HERE --> <a href="https://github.com/Bearsampp/module-apache/releases/tag/2024.4.7"> https://github.com/Bearsampp/module-apache/releases/tag/2024.4.7 </a> <!-- END RELEASE FILES LINK(S) --></div>
</div>
</div>
</div>
avatar N6REJ N6REJ - open - 10 Apr 2024
avatar joomla-cms-bot joomla-cms-bot - change - 10 Apr 2024
Labels Added: No Code Attached Yet
avatar joomla-cms-bot joomla-cms-bot - labeled - 10 Apr 2024
avatar N6REJ N6REJ - change - 10 Apr 2024
The description was changed
avatar N6REJ N6REJ - edited - 10 Apr 2024
avatar brianteeman
brianteeman - comment - 10 Apr 2024

What do you mean by "turn filtering off"

avatar N6REJ
N6REJ - comment - 10 Apr 2024

I'm sorry I thought that was self explanatory to our group.
image

avatar N6REJ N6REJ - change - 10 Apr 2024
The description was changed
avatar N6REJ N6REJ - edited - 10 Apr 2024
avatar brianteeman
brianteeman - comment - 10 Apr 2024

when you turn off the filter in tinymce then the filter in joomla takes over and you havent shared what the joomla filter settings are. so you can not simply say turn off filter and expect everyone to read your mind.

i did check the code that you pasted but I see now that you have deleted that code and pasted different code instead.
you talk about html5 but then the code you are sharing is not html5

can you replicated your issue with the tinymce playground?

Obviously the most useful thing would be for you to post the code that you entered into the editor and then copy the changed code here so that we can see the difference.

You should also know that any changes you are seeing when you toggle the editor may be because of tinymce code validation and fixing and this is not the same as security filters.

This is a support issue and not an issue that is anything to do with core joomla.

This is the results of my test with the original code you posted.
The three files are

  1. Your original before pasting
  2. After pasting with joomla filters set to off in tinymce
  3. After pasting with joomla filters set to on in tinymce

The only differences are

  1. the opening line has been wrapped in a <p>
  2. the xhtml <hr /> has been changed to the html5 <hr>
    image
avatar N6REJ
N6REJ - comment - 10 Apr 2024

the current code included is the current code

avatar brianteeman
brianteeman - comment - 10 Apr 2024

and the current code is xhtml and completely invalid markup with fictitious html elements. tiny tries to fix that for you. that is nothing to do with the filters which are restrictions due to security.

This is not a joomla issue and should be closed. Nothing to do here and no need for anyone else to waste time

avatar chmst chmst - change - 10 Apr 2024
Status New Closed
Closed_Date 0000-00-00 00:00:00 2024-04-10 18:27:30
Closed_By chmst
avatar chmst chmst - close - 10 Apr 2024
avatar chmst
chmst - comment - 10 Apr 2024

As @brianteeman wrote. I checked your code and it is as he writes.

Add a Comment

Login with GitHub to post a comment