Opened 6 years ago
Closed 7 months ago
#1484584 closed Feature Requests (wontfix)
Integrate HTML Purifier
| Reported by: | thomasb | Owned by: | |
|---|---|---|---|
| Priority: | 5 | Milestone: | later |
| Component: | PHP backend | Version: | git-master |
| Severity: | normal | Keywords: | html cleanup xss security |
| Cc: |
Description
Use http://htmlpurifier.org instead of the internal functions to clean up HTML mail contents. Add the path to the installed package to config.
Change History (7)
comment:1 Changed 6 years ago by thomasb
- Type changed from Bugs to Feature Requests
comment:2 Changed 5 years ago by thomasb
Should also fix #1484701
comment:3 Changed 5 years ago by till
- Milestone changed from 0.1-stable to 0.2-beta
I'm removing this from 0.1-stable because (afaik) 0.1-stable needs to run ob PHP4 too, and htmlpurifier runs on php5 only.
comment:4 Changed 5 years ago by thomasb
- Milestone changed from 0.2-beta to later
Washtml does a good job for the moment.
comment:5 Changed 5 years ago by ilifeis
I agree with Thomasb, Washtml does a good job because I tried to use htmlpurifier it use more power and slower than Washtml.
If need to change I think htmlawed is suitable than html purifier.
comment:6 Changed 2 years ago by michaelc
- Keywords xss security added
- Version changed from 0.1-rc1 to svn-trunk
Refs #1484781. I emailed the author of HTML Purifier for an (potentially biased, but extremely experienced) opinion regarding WasHTML. The content of his message below:
Preliminary thoughts: Probable security hole: - The url() in CSS is notoriously difficult to get right, and in particular I don't see any handling for backslashes or quoting rules (well, he does "quote it", but using HTML quoting for CSS is not really correct...) Overall design: +1 for using DOMDocument -1 for placing user data in comments. There are /a lot/ of ways to break out of comments that aren't affected by htmlspecialchars; they're kind of their own proprietary browser wonderland -1 for character encoding obliviousness -1 for not enforcing validity on the attribute level (of course, this one's usually not a reasonable demand :-) Feel free to share; it'll probably be a while before I get around to writing a full entry. Cheers, Edward
comment:7 Changed 7 months ago by alec
- Resolution set to wontfix
- Status changed from new to closed

Not a Bug but a Feature Request