cubicweb #1253650 html validation from user input [resolved]

When force-html-content-type is unset, user can fill html fragment which can break the page display due to unknown namespaces or invalid elements.

This problems happens frequently from copy/pasting from Word.

Consider to enforce html input and strip arbitrary text that could interfere with some browsers.

prioritynormal
typebug
done in3.10.6
load0.500
load left0.000
closed by<not specified>

Workflow history

from state (3)to statecommentdateUser
validation pendingresolved2011/05/27 14:22 UTCsthenault
donevalidation pending

version publiƩe

2010/11/30 21:54 UTCnchauvat
opendone

done in 6685:eeedb3575d25

[uilib] soup2xhtml uses now lxml.html.Cleaner

The lxm cleaner class let you configure more easily the allowed tag elements in parsed content.

Caveats:

  • attributes in elements are not dropped (and html layout can be broken if css classes are reused)
  • root tag element in snippet is buggy
2010/11/09 15:20 UTC 

Identical tickets

Comments

  • 2010/09/24 15:04

    Take a look at http://codespeak.net/lxml/lxmlhtml.html#cleaning-up-html

    Cleaner class can allow a specific subset of tags.

    Note: lxml version 2.2.2 added several helper methods (skip_attributes, skip_tags)

  • 2010/09/24 15:10, written by sthenault

    we *already* do that. Please give examples of what should be stripped and isn't.

    • 2010/09/24 15:53

      For a very simple example, you can try adding unknown attribute from missing namespace as "<p x:str="" />

      (See test.html attachement)

  • 2010/11/09 15:44, written by sthenault

    still waiting a demonstration ;)

add comment
attachment

test.html