[Vtigercrm-developers] Avoid HTML purify in ckeditor
Simone Travaglini
simonetravaglini at gmail.com
Fri Oct 28 09:19:49 GMT 2016
Hi Mariusz,
thanks for suggestion. We will look into.
2016-10-28 10:52 GMT+02:00 Mariusz Krzaczkowski <
m.krzaczkowski at yetiforce.com>:
> Enabling HTMS purify is a security threat and creates a possibility to
> hack the system. Unless you don't care about the security. We had the same
> problem, HTML purify didn't work properly for HTML, we fixed it by creating
> special function for HTML validation.
> The function can be found here: https://github.com/
> YetiForceCompany/YetiForceCRM/blob/developer/vendor/
> yetiforce/Purifier.php#L91
> Additionally we introduced a few optimizations because the old feature was
> slow.
>
> Another problem is that Vtiger uses a very outdated library 3.3.0,
> released 2009-02-16, which doesn't support new standards like HTMP5; and
> right now we got 4.8.0, released 2016-07-16.
>
> So simply adding a new feature won't be very effective, because it's based
> on the latest library version, it's not likely to work with the outdated
> one.
> ---
>
> Z poważaniem / Regards
> *Mariusz Krzaczkowski*
> *Director of Product Development*
> M: +48 884-998-123
> E: m.krzaczkowski at yetiforce.com
> ------------------------------
> YetiForce 3.0 LTS has arrived! Test <https://gitdeveloper.yetiforce.com/> the
> latest, most innovative open source system in the world, and join
> <https://github.com/YetiForceCompany/YetiForceCRM> our community.
>
>
>
> W dniu 2016-10-28 10:24, Matteo Baranzoni napisał(a):
>
> i think that disable it was not better solution for security reasons, IMHO
> you must investigate issue and change htmlpurifier config for fix it.
>
> 2016-10-28 10:01 GMT+02:00 socialboostdk <socialboostdk at gmail.com>:
>
>> Excellent thanks - the quickest way i otherwise found was to completely
>> disable it :)
>>
>> VT-team: Could you not include it as setting for VT7?
>>
>> On 28 October 2016 at 09:54, Simone Travaglini <
>> simonetravaglini at gmail.com> wrote:
>>
>>> Hi,
>>> after several test we found that only way to avoid HTML purify in
>>> ckeditor is to change core file of Vtiger. Also if we set not to purify
>>> code in ckeditor during saving is changed.
>>>
>>> The change to achieve the resutl is:
>>>
>>> include/utils/Vtlibutils.php
>>>
>>> Row 610
>>>
>>> - function vtlib_purify($input, $ignore=false) {
>>> + function vtlib_purify($input, $ignore=true) {
>>>
>>> My question to vtiger team are:
>>> - there is other way to achieve this result without change core file?
>>> - what impact have this change?
>>>
>>> --
>>> Simone Travaglini
>>> 328 5499846
>>> Linkedin: Simone Travaglini
>>>
>>>
>>> Rispetta l'ambiente: non stampare questa mail se non ti è veramente
>>> necessario!
>>> _______________________________________________
>>> http://www.vtiger.com/
>>
>>
>> _______________________________________________
>> http://www.vtiger.com/
>
>
> _______________________________________________
> http://www.vtiger.com/
>
>
> _______________________________________________
> http://www.vtiger.com/
>
--
Simone Travaglini
328 5499846
Linkedin: Simone Travaglini
Rispetta l'ambiente: non stampare questa mail se non ti è veramente
necessario!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20161028/d7a44846/attachment-0001.html>
More information about the vtigercrm-developers
mailing list