More tolerant Stripogram (solution)
Hi all, I was extend SquishDot with wysiwyg editor (origin: vsbabu ieeditor). But it was not accept many tags due too small number of allowed html attributes in stripogram. I was patch stripogram to be more tolerant for eg., tables and other tags (missings: 'html' and 'body'). Make changes to following variables in html2safehtml.py, __init__.py and select your acceptable tags and make changes your code from where you are calling html stripping (for example in SquishDot 1.5 it is SquishSite.py, line 408). can_close = ['ul','li','p','dd','dl','dt','ol','option','bdo','listing','map','optgroup','option','param', 'marquee','menu','multicol','nobr','noembed','noframes','nolayer','noscript','plaintext','pre','q','rt','ruby','s','samp', 'b','i','u','big','small','em','strong','blink','blockquote','center','cite','code','tt','ins','kbd','keygen', 'table','del','strike-thru','dfn','fieldset','font','form','frame','frameset','label''caption','legend', 'h1','h2','h3','h4','h5','h6','head','iframe','ilayer','layer','object','select','strike','sub','sup', 'trow','thead','tbody','textarea','tr','tt','var','xml','xmp','title', 'div','span','a','abbr','acronym','area','th','td'] never_close = ['br','wbr','hr', 'input', 'isindex','base','meta','basefont','bgsound','button','spacer', 'col','colgroup','embed','isindex','link', 'img'] If you want to save space ant you put 'td', 'th','tr', 'p' etc to never_close (which is acceptable for browsers), stripping will destroy html code :-( I dont know if some tag is missing (so sorry), it was done with "visibone web designer's html card" on the desk, not w3c. Best Regards, -- Jaroslav Lukesh ----------------------------------------------------------- This e-mail can not contain any viruses because I use Linux
Am Montag, den 02.05.2005, 09:04 +0200 schrieb Jaroslav Lukesh:
Hi all,
I was extend SquishDot with wysiwyg editor (origin: vsbabu ieeditor). But it was not accept many tags due too small number of allowed html attributes in stripogram.
I was patch stripogram to be more tolerant for eg., tables and other tags (missings: 'html' and 'body'). Make changes to following variables in html2safehtml.py, __init__.py and select your acceptable tags and make changes your code from where you are calling html stripping (for example in SquishDot 1.5 it is SquishSite.py, line 408).
can_close = ['ul','li','p','dd','dl','dt','ol','option','bdo','listing','map','optgroup','option','param', 'marquee','menu','multicol','nobr','noembed','noframes','nolayer','noscript','plaintext','pre','q','rt','ruby','s','samp', 'b','i','u','big','small','em','strong','blink','blockquote','center','cite','code','tt','ins','kbd','keygen', 'table','del','strike-thru','dfn','fieldset','font','form','frame','frameset','label''caption','legend', 'h1','h2','h3','h4','h5','h6','head','iframe','ilayer','layer','object','select','strike','sub','sup', 'trow','thead','tbody','textarea','tr','tt','var','xml','xmp','title', 'div','span','a','abbr','acronym','area','th','td'] never_close = ['br','wbr','hr', 'input', 'isindex','base','meta','basefont','bgsound','button','spacer', 'col','colgroup','embed','isindex','link', 'img']
If you want to save space ant you put 'td', 'th','tr', 'p' etc to never_close (which is acceptable for browsers), stripping will destroy html code :-(
I dont know if some tag is missing (so sorry), it was done with "visibone web designer's html card" on the desk, not w3c.
Looks like you completely defait the purpose of the stripping ;) Some people will especially like those <iframe> tags :) Maybe you should also visit w3c for information about up-to-date HTML. -- Tino Wildenhain <tino@wildenhain.de>
Dne pondělí, 2. května 2005 09:52 Tino Wildenhain <tino@wildenhain.de> napsal(a):
Am Montag, den 02.05.2005, 09:04 +0200 schrieb Jaroslav Lukesh:
Hi all,
I was extend SquishDot with wysiwyg editor (origin: vsbabu ieeditor). But it was not accept many tags due too small number of allowed html attributes in stripogram.
Looks like you completely defait the purpose of the stripping ;)
Not so much, because you need to call which tags are allowed, if you does not specify them, it is not allowed. Sou you are more free if you need to use multiple kinds of stripping. One less-restrictive face should be to away 'html' and 'body'. Another extra-restrictive face will allow only 'br' and 'p' for example. And you should mix that both faces of stripping at single page.
Some people will especially like those <iframe> tags :)
You need to define allowed tags. So if you does not define 'iframe', it will be anihilated: return strip(html2safehtml(text,self.getProperty('valid_tags',('b', 'a', 'i', 'br', 'p', 'h3', 'ul', 'li', 'font', 'br'))))
Maybe you should also visit w3c for information about up-to-date HTML.
It was need to be done quickly, it was no time to browse via slow saturated line, so I used which I was on the desk. -- Jaroslav Lukesh ----------------------------------------------------------- This e-mail can not contain any viruses because I use Linux
Jaroslav Lukesh wrote:
I was extend SquishDot with wysiwyg editor (origin: vsbabu ieeditor). But it was not accept many tags due too small number of allowed html attributes in stripogram.
Looks like you completely defait the purpose of the stripping ;)
Yeah, what Tino said ;-) Why are you bothering to strip when you basically let people put in all the abusive tags anyway?
return strip(html2safehtml(text,self.getProperty('valid_tags',('b', 'a', 'i', 'br', 'p', 'h3', 'ul', 'li', 'font', 'br'))))
Also, why don't you just add a valid_tags property to your Squishdot site rather than hacking the source code? Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
Dne úterý, 17. května 2005 13:26 Chris Withers <chris@simplistix.co.uk> napsal(a):
Jaroslav Lukesh wrote:
I was extend SquishDot with wysiwyg editor (origin: vsbabu ieeditor). But it was not accept many tags due too small number of allowed html attributes in stripogram.
Looks like you completely defait the purpose of the stripping ;)
Yeah, what Tino said ;-)
Why are you bothering to strip when you basically let people put in all the abusive tags anyway?
Because it is not abusive tags for intranet blog.
return strip(html2safehtml(text,self.getProperty('valid_tags',('b', 'a', 'i', 'br', 'p', 'h3', 'ul', 'li', 'font', 'br'))))
Also, why don't you just add a valid_tags property to your Squishdot site rather than hacking the source code?
I want to use stripogram not only with squishdot. And at second, at time of hacking I does not know valid_tags property :o) Best Regards, -- Jaroslav Lukesh ----------------------------------------------------------- This e-mail can not contain any viruses because I use Linux
Jaroslav Lukesh wrote:
Why are you bothering to strip when you basically let people put in all the abusive tags anyway?
Because it is not abusive tags for intranet blog.
Then why are you using stripogram in the first place? Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
Dne středa, 18. května 2005 10:57 Chris Withers <chris@simplistix.co.uk> napsal(a):
Jaroslav Lukesh wrote:
Why are you bothering to strip when you basically let people put in all the abusive tags anyway?
Because it is not abusive tags for intranet blog.
Then why are you using stripogram in the first place?
Because it does not contain tags from MS Office documents if it was placed through clipboard to MSIE wysiwyg editor which I incorporate into slashdot. And at second, original restrictive stripogram is used to posting comments. -- Jaroslav Lukesh ----------------------------------------------------------- This e-mail can not contain any viruses because I use Linux
Jaroslav Lukesh wrote:
Because it does not contain tags from MS Office documents if it was placed through clipboard to MSIE wysiwyg editor which I incorporate into slashdot.
For that, I'd use HTMLTidy instead. Until I get to do some major work on stripogram, it's always going to be much better...
And at second, original restrictive stripogram is used to posting comments.
Yes, that's to stop people putting in html which breaks Squishdots layout, along with Javascript and other nasties. You, however, appear to want to circumvent all that work and let people break the layout of your site as well as inserting lots of nice XSS attacks and the like ;-) cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
participants (3)
-
Chris Withers -
Jaroslav Lukesh -
Tino Wildenhain