Comments (6)
Thanks for the report :) but we explicitly allow all the HTML tags and attributes in the editor. You can decide if you want to render the content in raw (twig filter). We do this because we don't see the big problem here because the content-manager (logged in system user) should be "competent" enough to avoid it if he doesn't want it.
But we are planning in a future release to make this behavior configurable - there are no concrete plans currently.
/cc @chirimoya @danrot please add your thoughts about this topic
from sulu-standard.
I also think that this is the job of the template developer. Especially because I have already seen textareas being used to copy small javascript snippets (e.g. Youtube embed codes).
from sulu-standard.
I've been running into issues because the code is not only rendered unsanitized on the webpage/preview, but also in the block preview in the actual edit page.
It's quite disturbing when you want to paste one of the new (?) responsive vimeo.com embed codes which load a js file which seems to break sulus backend js up to the point that you aren't able to save the page anymore...
But then, I'm on 1.4, maybe 1.6 has got a different behaviour?
from sulu-standard.
@floatingbits only the ckeditor run JS codes but there it is run inside an iframe and should not crash any backend components. and for embed codes its recommend use textareas and not texteditors. So update to 1.6 should fix it for textareas.
from sulu-standard.
Hmmm. I do use a textarea. The html is output without any sanitizing to the block preview.
The code that breaks the whole edit page is a simple vimeo embed code featuring a script tag:
<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/267254114?title=0&byline=0&portrait=0" style="position:absolute;top:0;left:0;width:100%;height:100%;" frameborder="0" webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>
My blocks (without the breaking script tag) look like this:
EDIT: Ahh, ok. The update to 1.6 should fix it :-)
from sulu-standard.
for @prodigysml if you don't want to output something on the website you maybe need to create a custom twig extension using something like http://htmlpurifier.org.
@floatingbits thats good.
I will know close the issue as it seems to be fixed, else feel free to reopen it or add a comment.
from sulu-standard.
Related Issues (20)
- Attempted to call function "oci_connect" from namespace HOT 1
- adding images inside editor HOT 1
- Run in dev environment HOT 3
- Hidden description field editor on Excerpt & Categories tab HOT 14
- How does image caching mechanism work? HOT 3
- In Apache error log: Unknown portal environment "prod" in /var/www/html/sulu-standard-develop/vendor/sulu/sulu/src/Sulu/Component/Webspace/Manager/WebspaceCollection.php:97 HOT 2
- How to override a default aura-component HOT 2
- Anchor tag in sulu:link HOT 1
- Smart Content Admin Sort Order is wrong when including Sub Folders HOT 7
- Missing bin/adminconsole HOT 7
- Error link between old deleted block and page HOT 2
- No feedback on saving category with duplicate key (No error is displayed) HOT 1
- Can't add a new localisation, the admin doesn't show it HOT 4
- How to get content by category HOT 2
- Users can't change their own contact without being able to change all of the contacts HOT 2
- [TranslateBundle] issue with non-standard translation files sulu:export:translate HOT 7
- Support of PostgreSQL 10 HOT 1
- bin/adminconsole missing HOT 4
- Moving media not available at top level HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sulu-standard.