I know disabling HTMLawed plugin is not recommended because of any risk . But i want to ask . What if I disable Edit HTML too . No HTMLawed and no Edit HTML, Is it still dangerous for our site ?
In my opinion, it's safe coz user can't input HTML/JS code , but I'm not sure,
any opinion ?
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
- ihayredinov@ihayredinov
ihayredinov - 0 likes
- Avicena AlGhiffar Alsharaawy@AVicenaGhifa
Avicena AlGhiffar Alsharaawy - 0 likes
- ihayredinov@ihayredinov
ihayredinov - 0 likes
- ihayredinov@ihayredinov
ihayredinov - 0 likes
- JayT@JayT
JayT - 0 likes
- Avicena AlGhiffar Alsharaawy@AVicenaGhifa
Avicena AlGhiffar Alsharaawy - 0 likes
- JayT@JayT
JayT - 0 likes
You must log in to post replies.People can still input html in plaintext inputs. Why do you want to disable htmlawed?
I want to extend the ability of CKeditor . I'm success to add extra plugin in CKeditor, like "spoiler" , "math symbol" etc. . but when i click "save" , the result is just normal text
Take a look at this: https://github.com/hypeJunction/Elgg-ckeditor_addons. I am not entirely sure how the addons you mention generate content, but my plugin has some hooks to configure htmlawed based on ckeditor rules.
Oh, sorry, I have it the other way around. Only tags allowed by htmlawed are allowed in ckeditor: https://github.com/hypeJunction/Elgg-ckeditor_addons/blob/90428ed3ff81d8146449cda9b07dae0231a01059/views/default/elgg/ckeditor/config.js.php#L12
You might try creating a plugin to extend what htmlawed allows so you can include the math symbol and other options you want.
That's what I did and it seems to work. I added the options I wanted to the the ckeditor extended plugin and then created a "custom_htmlawed" plugin to extend what the htmlawed plugin will allow. I'm not a coder, but I did a lot of research. I don't remember what article set me on the right track, but my start.php is modeled after the start.php of the htmlawed plugin. I'll share more details if you are interested.
Hmm i want to ask. about HTMLaw system
HTMLaw allow all HTML tags except some tags
or
HTMLaw deny all HTML tags except some tags
?
According to the htmlLawed documentation it allows "only specified HTML tags and attributes" and does more to sanitize the code. Various websites which allow users to make comments, write blogs, etc. use it or some other similar software to strip unwanted code from what is posted. Elgg uses htmLawed via an htmLawed plugin which probably also makes some adjustments to what is and what is not allowed.