Closed Bug 465530 Opened 11 years ago Closed 11 years ago
<iframe/> and <style/> tags are sanitized when "allow html" is checked
When attempting to edit the SFD4 page at http://support.mozilla.com/en-US/kb/SFD4 , the iframe and style tags used for page layout, and for embedding Mogulus and IRC, are sanitized by inserting <x> in the middle of the tag. The SFD4 page can't be edited until this bug is fixed. This bug is visible on the SFD4 staging page at http://support.mozilla.com/en-US/kb/SFD4-staging
Caused by the new tiki2 sanitization code. I'll see what I can do to that.
Assignee: nobody → laura
This probably needs to be fixed in an off schedule push, BTW, or we can revert. I'm marking it 0.7.3 for visibility though.
There is an additional layer of checking later in the code that will encode their HTML if they are not an admin anyway.
Attachment #348849 - Flags: review?(nelson)
For this one field, delay xss filtering until we know if the person's trusted to use HTML or not. When we know, if they are not trusted, filter it then.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Testcase: <iframe>Testing an iframe</iframe> <p style="color: #090; line-height: 1.2">P</p>
Looks fixed to me; Matthew, do you have cycles to confirm?
The SFD4 page works properly now when it is imported to support-stage.mozilla.org. I'll verify this bug when it is pushed to production.
(In reply to comment #8) > The SFD4 page works properly now when it is imported to > support-stage.mozilla.org. I'll verify this bug when it is pushed to > production. We pushed last night.
That push didn't happen until today, but regardless it is now working on production. ->verified
Status: RESOLVED → VERIFIED
0.7.3 has come and gone, but thoughts of it still linger; I held a banger in my hand--has anyone seen my finger? (Removing push-needed keyword since we shipped.)
Security model has changed for 3.x Now, all plugin content which is potentially insecure must be approved by someone with sufficient perms. (tiki_p_plugin_approve)
You need to log in before you can comment on or make changes to this bug.