htmlawed exception for embed,object,iframe,div (etc)

How to allow [embed,object,iframe,div] tags through htmlawed?

[Elgg version: 1.8.19]

  • Or maybe to just filter everything out but html and css.

    Any advice?

  • Assuming that you are sure you'll not create XSS vulnerability, you can change htmlawed config on config htmlawed plugin hook and read the section 3.3 of htmlawed documentation.

  • At this point I don't think that will be an issue. I'm new at this but I made a copy of the plugin with a different manifest, start.php and name but received the fatal error below after I flushed the cache, with the new plugin enabled. I figured making a replacement plugin would be an appropriate solution so that it hopefully wouldn't interfere with a future version upgrade. I disabled the original htmlawed and the new one until I finished the edit then reactivated the edited plugin. The change I attempted to make was based on the documentation that appeared to state that by switching safe mode to false it would allow my desired tags. 

    With $config["safe"] = 1, the default set will exclude appletembediframeobject and script; see section 3.6.

    $htmlawed_config = array(
    // seems to handle about everything we need.
    'safe' => true,
     

    Fatal Error. Redirect could not be issued due to headers already being sent. Halting execution for security. Output started in file /home/mysite/public_html/elgg/mod/my_htmlawed/start.php at line 1. Search http://docs.elgg.org/ for more information. SecurityException Object ( [message:protected] => Redirect could not be issued due to headers already being sent. Halting execution for security. Output started in file /home/mysite/public_html/elgg/mod/my_htmlawed/start.php at line 1. Search http://docs.elgg.org/ for more information. [string:Exception:private] => exception 'SecurityException' with message 'Redirect could not be issued due to headers already being sent. Halting execution for security. Output started in file /home/mysite/public_html/elgg/mod/my_htmlawed/start.php at line 1. Search http://docs.elgg.org/ for more information.' in /home/mysite/public_html/elgg/engine/lib/elgglib.php:159 Stack trace: #0 /home/mysite/public_html/elgg/actions/admin/site/flush_cache.php(10): forward(-1) #1 /home/mysite/public_html/elgg/engine/lib/actions.php(97): include('/home/mysite/...') #2 /home/mysite/public_html/elgg/engine/handlers/action_handler.php(20): action('admin/site/flus...') #3 {main} [code:protected] => 0 [file:protected] => /home/mysite/public_html/elgg/engine/lib/elgglib.php [line:protected] => 159 [trace:Exception:private] => Array ( [0] => Array ( [file] => /home/mysite/public_html/elgg/actions/admin/site/flush_cache.php [line] => 10 [function] => forward [args] => Array ( [0] => -1 ) ) [1] => Array ( [file] => /home/mysite/public_html/elgg/engine/lib/actions.php [line] => 97 [args] => Array ( [0] => /home/mysite/public_html/elgg/actions/admin/site/flush_cache.php ) [function] => include ) [2] => Array ( [file] => /home/mysite/public_html/elgg/engine/handlers/action_handler.php [line] => 20 [function] => action [args] => Array ( [0] => admin/site/flush_cache ) ) ) [previous:Exception:private] => )

  • My guess is that you might have saved the modified files of your htmlawed duplicate with a wrong encoding. If you saved the files with BOM characters this would explain the error. You need to save the files in "UTF-8 without BOM" encoding.

    But it's not at all necessary to create your own custom htmlawed plugin. The htmlawed plugin has two plugin hooks that allow for providing a custom array of allowed styles and/or a custom config. You only need to create your own little plugin with the following start.php:

    <?php

    elgg_register_event_handler('init', 'system', 'custom_htmlawed_init');

    function custom_htmlawed_init() {

        elgg_register_plugin_hook_handler('allowed_styles', 'htmlawed', 'custom_htmlawed_allowed_styles');
        elgg_register_plugin_hook_handler('config', 'htmlawed', 'custom_htmlawed_config');
    }


    function custom_htmlawed_allowed_styles($hook, $type, $items, $vars) {

        $allowed_styles = array( <DEFINE YOUR ALLOWED STYLES IN THIS ARRAY - see start.php of htmlawed plugin for already allowed styles>  );

        return $allowed_styles;
    }

    function custom_htmlawed_config($hook, $type, $items, $vars) {

        $config = array( <DEFINE YOUR HTMLAWED CONFIG IN THIS ARRAY - see start.php of htmlawed plugin for default config>  );

        return $config;
    }

    If you only want to change the config or the allowed styles respectively, you only need to include the corresponding plugin hook handler but not the other. What you need to define on your own is the content of the $allowed_styles and/or $config arrays within the callback functions. To complete this plugin your need to add a suitable manifest.xml file and it should work without the need to modify the original htmlawed plugin and you still have your own config.

  • It's possible I used the wrong encoding but I've used a similar method before when doing minor editing with other plugins and I didn't have issues like this.

    myconfig:

    <?xml version="1.0" encoding="UTF-8"?>
    <plugin_manifest xmlns="http://www.elgg.org/plugin_manifest/1.8"&gt;
        <name>myconfig</name>
        <author>empty</author>
        <version>1.8</version>
        <category>security</category>
        <description>My htmLawed config</description>
        <website>http://www.elgg.org</website&gt;
        <copyright>See COPYRIGHT.txt</copyright>
        <license>GNU General Public License version 2</license>
        <requires>
            <type>elgg_release</type>
            <version>1.8</version>
        </requires>
    </plugin_manifest>

    When I activated the plugin it gave me a white screen until I removed it then this error came up:

    myconfig (guid: 63) cannot start and has been deactivated. Reason: Cannot include start.php for plugin myconfig (guid: 63) at /home/mysite/public_html/elgg/mod/myconfig.

    Here is my start.php:

    <?php

    elgg_register_event_handler('init', 'system', 'custom_htmlawed_init');

    function custom_htmlawed_init() {

        elgg_register_plugin_hook_handler('allowed_styles', 'htmlawed', 'custom_htmlawed_allowed_styles');
        elgg_register_plugin_hook_handler('config', 'htmlawed', 'custom_htmlawed_config');
    }


    function custom_htmlawed_allowed_styles($hook, $type, $items, $vars) {

        $allowed_styles = array( 
            'color', 'cursor', 'text-align', 'vertical-align', 'font-size',
            'font-weight', 'font-style', 'border', 'border-top', 'background-color',
            'border-bottom', 'border-left', 'border-right',
            'margin', 'margin-top', 'margin-bottom', 'margin-left',
            'margin-right',    'padding', 'float', 'text-decoration'
     );

        return $allowed_styles;
    }

    function custom_htmlawed_config($hook, $type, $items, $vars) {

        $config = array( 
            // seems to handle about everything we need.
            'safe' => true,
            'deny_attribute' => 'class, on*',
            'hook_tag' => 'htmlawed_tag_post_processor',

            'schemes' => '*:http,https,ftp,news,mailto,rtsp,teamspeak,gopher,mms,callto',
            // apparent this doesn't work.
            // 'style:color,cursor,text-align,font-size,font-weight,font-style,border,margin,padding,float'
          );

        return $config;
    }

    I tried to set it to use the default config and styles to see if it would work but alas not yet. Should I not have done that?

    Suggestions?

  • I'm not sure why but a clean install might have fixed my issue. I'll check back.

  • I believe it works now. Thank you for the help!

Beginning Developers

Beginning Developers

This space is for newcomers, who wish to build a new plugin or to customize an existing one to their liking