Closed Bug 465530 Opened 11 years ago Closed 11 years ago

<iframe/> and <style/> tags are sanitized when "allow html" is checked

Categories

(support.mozilla.org :: Knowledge Base Software, task, blocker)

task
Not set
blocker

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: zzxc, Assigned: laura)

References

()

Details

(Keywords: regression, Whiteboard: tiki_fixed)

Attachments

(2 files, 1 obsolete file)

When attempting to edit the SFD4 page at http://support.mozilla.com/en-US/kb/SFD4 , the iframe and style tags used for page layout, and for embedding Mogulus and IRC, are sanitized by inserting <x> in the middle of the tag.  The SFD4 page can't be edited until this bug is fixed.

This bug is visible on the SFD4 staging page at http://support.mozilla.com/en-US/kb/SFD4-staging
Caused by the new tiki2 sanitization code.  I'll see what I can do to that.
Assignee: nobody → laura
Keywords: regression
Target Milestone: --- → 0.7.3
This probably needs to be fixed in an off schedule push, BTW, or we can revert.  I'm marking it 0.7.3 for visibility though.
Blocks: 465552
There is an additional layer of checking later in the code that will encode their HTML if they are not an admin anyway.
Attachment #348849 - Flags: review?(nelson)
Attachment #348849 - Flags: review?(nelson) → review-
Attached patch Better approachSplinter Review
For this one field, delay xss filtering until we know if the person's trusted to use HTML or not.  When we know, if they are not trusted, filter it then.
Attachment #348849 - Attachment is obsolete: true
Attachment #348859 - Flags: review?(nelson)
Attachment #348859 - Flags: review?(nelson) → review+
In trunk r19999, in prod r20001 (just missed the big 20k!)
Keywords: push-needed
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Testcase:

<iframe>Testing an iframe</iframe>

<p style="color: #090; line-height: 1.2">P</p>
Looks fixed to me; Matthew, do you have cycles to confirm?
The SFD4 page works properly now when it is imported to support-stage.mozilla.org.  I'll verify this bug when it is pushed to production.
(In reply to comment #8)
> The SFD4 page works properly now when it is imported to
> support-stage.mozilla.org.  I'll verify this bug when it is pushed to
> production.

We pushed last night.
That push didn't happen until today, but regardless it is now working on production.

->verified
Status: RESOLVED → VERIFIED
0.7.3 has come and gone, but thoughts of it still linger; I held a banger in my hand--has anyone seen my finger?

(Removing push-needed keyword since we shipped.)
Keywords: push-needed
Whiteboard: tiki_fixed
Security model has changed for 3.x

Now, all plugin content which is potentially insecure must be approved by someone with sufficient perms. (tiki_p_plugin_approve)
You need to log in before you can comment on or make changes to this bug.