htmlawed trashes html in posts

I read about and experienced the mysterious removal of html code from posts. I've read that folks have had the problem with various versions of tinymce. And I've read and found that turning off the htmlawed plugin fixed this issue. So, what then does htmlawed do? I understand it's a replacement for kses, but I'm not sure what either of them do and their purpose. I have seen a few listing in trac about minor fixes to htmlawed, but, unless I'm missing it, nothing about fixing this issue more major issue. Further, I've read, via the plugin display on the tools admin page, that htmlawed is recommended.

So, is the purpose of htmlawed to remove html from posts? Is it then thus working properly? And if I wish html to be utilized in posts, that I turn it off and this is a proper, but not recommended, thing to do?  Or is htmlawed not working properly, and I should report this to trac?

I just don't understand what htmlawed is and why it's recommended and by turning it off what problems this can cause. And finally, since it appears it's purpose it to strip various html from posts, is it recommended that we do not allow html posts?

I'd appeciate any discuss and advice.


  • @Ron Wallace - What i think........

    Well ron, i think it should be cofigurable, so the user can choose what to allow and what not to, moreover i have noticed that it filters most of the tags, So according to me either elgg team should allow more tags or make it configurable.

    Just an idea... Waiting for response.

  • It's not clear to me how we are to interface with the elgg staff? For discussion and feature requests like this about the htmlawed; how are we suppose to interface with them? It doesn't appear this is a bug, so I wouldn't think it should be reported to trac - but I think it's healthy to have a discussion about it cause it appears to be causing a number of problems for users. When a member of the staff has a question, he can post it and get feedback, but for us users, how do we get our thoughts heard? I'm sure they don't have the time to read every comment; so they may be missing some valuable ideas. I don't understand what the process is. You say, Invisible, "Waiting for response." Unfortunatly, a response may never come. Does anyone know - is there a communication policy?

  • Allowing users to add arbitrary HTML code to your site might break your site design and might even allow phishers to add code pretending to be a login box and so trick people into revealing their passwords.

    You can configure htmlawed to be a bit less restrictive by editing the mod/htmlawed/start.php file, but turning it off altogether is a Very Bad Idea so far as I can see.

  • Very interesting. I'll have to take a look at the start.php and get an idea what's up. I would think formatting code, like tables, wouldn't be something that should be stripped and could cause a security leak. Or could it?

  • Tables would be a possible formatting issue that could result in users being able to create pages / blogs / profiles that would render the site (on that page) useless.  Filtering user input is a delicate task that has to balance flexibility and security.  We chose to not allow tables in the distributed htmlawd plugin because most users aren't experienced enough to know what tags should and shouldn't be allowed.  Like Kevin says, though, you can change this pretty simply in the start.php file.

    As for getting in touch of the developers, trac is always the best way.  Even though this isn't technically a bug it can be marked as an "improvement" or "feature request" on trac.  If further discussion is needed, we'll point it to a topic on this site.

    Just FYI, though, we do monitor this site fairly regularly and read most of the posts...just because we don't reply doesn't mean we didn't see it!

  • Thanks Brett. Understand completely and appreciate your advice and professionalism.

Feedback and Planning

Feedback and Planning

Discussions about the past, present, and future of Elgg and this community site.