Closed
Bug 465530
Opened 17 years ago
Closed 17 years ago
<iframe/> and <style/> tags are sanitized when "allow html" is checked
Categories
(support.mozilla.org :: Knowledge Base Software, task)
support.mozilla.org
Knowledge Base Software
Tracking
(Not tracked)
VERIFIED
FIXED
0.7.3
People
(Reporter: zzxc, Assigned: laura)
References
()
Details
(Keywords: regression, Whiteboard: tiki_fixed)
Attachments
(2 files, 1 obsolete file)
|
1.25 KB,
patch
|
nkoth
:
review+
|
Details | Diff | Splinter Review |
|
324.92 KB,
image/png
|
Details |
Post-fix screenshot of test output
When attempting to edit the SFD4 page at http://support.mozilla.com/en-US/kb/SFD4 , the iframe and style tags used for page layout, and for embedding Mogulus and IRC, are sanitized by inserting <x> in the middle of the tag. The SFD4 page can't be edited until this bug is fixed.
This bug is visible on the SFD4 staging page at http://support.mozilla.com/en-US/kb/SFD4-staging
|
Assignee | |
Comment 1•17 years ago
|
||
Caused by the new tiki2 sanitization code. I'll see what I can do to that.
Assignee: nobody → laura
Keywords: regression
|
|
Assignee | |
Updated•17 years ago
|
Target Milestone: --- → 0.7.3
|
|
Assignee | |
Comment 2•17 years ago
|
||
This probably needs to be fixed in an off schedule push, BTW, or we can revert. I'm marking it 0.7.3 for visibility though.
|
|
Assignee | |
Comment 3•17 years ago
|
||
There is an additional layer of checking later in the code that will encode their HTML if they are not an admin anyway.
Attachment #348849 -
Flags: review?(nelson)
|
|
||
Updated•17 years ago
|
Attachment #348849 -
Flags: review?(nelson) → review-
|
|
Assignee | |
Comment 4•17 years ago
|
||
For this one field, delay xss filtering until we know if the person's trusted to use HTML or not. When we know, if they are not trusted, filter it then.
Attachment #348849 -
Attachment is obsolete: true
Attachment #348859 -
Flags: review?(nelson)
|
|
||
Updated•17 years ago
|
Attachment #348859 -
Flags: review?(nelson) → review+
|
|
Assignee | |
Comment 5•17 years ago
|
||
|
|
Assignee | |
Updated•17 years ago
|
Keywords: push-needed
|
|
Assignee | |
Updated•17 years ago
|
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
|
||
Comment 6•17 years ago
|
||
Testcase:
<iframe>Testing an iframe</iframe>
<p style="color: #090; line-height: 1.2">P</p>
|
|
||
Comment 7•17 years ago
|
||
Looks fixed to me; Matthew, do you have cycles to confirm?
|
|
Reporter | |
Comment 8•17 years ago
|
||
The SFD4 page works properly now when it is imported to support-stage.mozilla.org. I'll verify this bug when it is pushed to production.
|
|
||
Comment 9•17 years ago
|
||
(In reply to comment #8)
> The SFD4 page works properly now when it is imported to
> support-stage.mozilla.org. I'll verify this bug when it is pushed to
> production.
We pushed last night.
|
|
Reporter | |
Comment 10•17 years ago
|
||
That push didn't happen until today, but regardless it is now working on production.
->verified
Status: RESOLVED → VERIFIED
0.7.3 has come and gone, but thoughts of it still linger; I held a banger in my hand--has anyone seen my finger?
(Removing push-needed keyword since we shipped.)
Keywords: push-needed
|
|
||
Updated•16 years ago
|
Whiteboard: tiki_fixed
|
|
||
Comment 12•16 years ago
|
||
Security model has changed for 3.x
Now, all plugin content which is potentially insecure must be approved by someone with sufficient perms. (tiki_p_plugin_approve)
You need to log in
before you can comment on or make changes to this bug.
Description
•