Safely embedding HTML in Wikka pages
Wikka uses the SafeHTML Parser by RomanIvanov.
This parser strips down all potentially dangerous content within HTML:
- opening tag without its closing tag
- closing tag without its opening tag
- any of these tags: “base”, “basefont”, “head”, “html”, “body”, “applet”, “object”, “iframe”, “frame”, “frameset”, “script”, “layer”, “ilayer”, “embed”, “bgsound”, “link”, “meta”, “style”, “title”, “blink”, “xml” etc.
- any of these attributes: on*, data*, dynsrc
- javascript:/vbscript:/about: etc. protocols
- expression/behavior etc. in styles
- any other active content
Check the SafeHTML home page for more info.
It seems SafeHTML is also stripping the callto: protocol - as I found out when I tried to add a Skype me link on my user page... (a minute ago :)) I don't see how that protocol constitutes an security risk though. Comments?
So, callto or e2k must be added to whitelist.
I'll think about it -- for distribution.
blockquote is *not* in the list of "dangerous tags" to be filtered out. Can't imagine how it would be dangerous either. ;-)
Have a look at the file safehtml.php in 3rdparty/code/safehtml and you can easily see what's filtered, blacklisted or whitelisted.
Fix is simple, just add 'map' to $formControls:
var $formControls = array('input', 'select', 'textarea', 'button', 'map'); # form controls where a name attribute is valid - JavaWoman