[Vtigercrm-developers] Avoid HTML purify in ckeditor

Mariusz Krzaczkowski m.krzaczkowski at yetiforce.com
Fri Oct 28 08:52:21 GMT 2016


Enabling HTMS purify is a security threat and creates a possibility to
hack the system. Unless you don't care about the security. We had the
same problem, HTML purify didn't work properly for HTML, we fixed it by
creating special function for HTML validation. 
The function can be found here:
https://github.com/YetiForceCompany/YetiForceCRM/blob/developer/vendor/yetiforce/Purifier.php#L91
Additionally we introduced a few optimizations because the old feature
was slow. 

Another problem is that Vtiger uses a very outdated library 3.3.0,
released 2009-02-16, which doesn't support new standards like HTMP5; and
right now we got 4.8.0, released 2016-07-16. 

So simply adding a new feature won't be very effective, because it's
based on the latest library version, it's not likely to work with the
outdated one.

---
Z poważaniem / Regards

MARIUSZ KRZACZKOWSKI 
_Director of Product Development_ 
M: +48 884-998-123
E: m.krzaczkowski at yetiforce.com 
-------------------------

YetiForce 3.0 LTS has arrived! Test [1] the latest, most innovative open
source system in the world, and join [2] our community. 

W dniu 2016-10-28 10:24, Matteo Baranzoni napisał(a):

> i think that disable it was not better solution for security reasons, IMHO you must investigate issue and change htmlpurifier config for fix it.   
> 
> 2016-10-28 10:01 GMT+02:00 socialboostdk <socialboostdk at gmail.com>:
> 
> Excellent thanks - the quickest way i otherwise found was to completely disable it :) 
> 
> VT-team: Could you not include it as setting for VT7? 
> 
> On 28 October 2016 at 09:54, Simone Travaglini <simonetravaglini at gmail.com> wrote: 
> 
> Hi, 
> after several test we found that only way to avoid HTML purify in ckeditor is to change core file of Vtiger. Also if we set not to purify code in ckeditor during saving is changed. 
> 
> The change to achieve the resutl is: 
> 
> include/utils/Vtlibutils.php 
> 
> Row 610 
> 
> - function vtlib_purify($input, $ignore=false) { 
> + function vtlib_purify($input, $ignore=true) { 
> 
> My question to vtiger team are: 
> - there is other way to achieve this result  without change core file? 
> - what impact have this change? 
> -- 
> 
> Simone Travaglini
> 328 5499846
> Linkedin: Simone Travaglini 
> 
> Rispetta l'ambiente: non stampare questa mail se non ti è veramente necessario! _______________________________________________
> http://www.vtiger.com/ 
> _______________________________________________
> http://www.vtiger.com/

_______________________________________________
http://www.vtiger.com/ 

Links:
------
[1] https://gitdeveloper.yetiforce.com/
[2] https://github.com/YetiForceCompany/YetiForceCRM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20161028/0094c097/attachment.html>


More information about the vtigercrm-developers mailing list