Forum Discussion

KPNOnline's avatar
KPNOnline
Mentor
9 years ago

Stripping HTML when posting message through API

When posting a message through the REST API, it can happen a user inserts unvalid HTML into the message body. When the server replies with an error status 100, it says it changed the HTML, but thats not true. That only applies when using the default tinyMCE editor Lithium suplies.

 

So question is: is there a function that strips out the HTML to become 'valid', trough Javascript OR Freemarker Util? For example, the smileys used from within tinyMCE, contain img attributes that are not allowed once 're-used' (like the class=""). So has to be stripped out.

 

I found this:

 

http://community.lithium.com/t5/Developers-Knowledge-Base/utils-FreeMarker-context-object/ta-p/9345

 

utils.html.stripper.from.owasp

 

But not sure if its any good.

 

How is it done on the backend of Lithium?

 

 

 Thanks

 

 

 

    • KPNOnline's avatar
      KPNOnline
      Mentor
      9 years ago
      OlivierS wrote:

      @KPNOnline have a look at this thread, it might help.

      Thanks OlivierS, I had a look at the thread before indeed.. But this encourages using a 'custom' set of allowed elements/attributes, or removing all html all together with utils.html.stripper.from.gdata.strip.... Message markup must be preserved and with custom elements/attributes there is still no guarantee lithium accepts it as a 'valid' message

       

      Problem is, lets say someone makes a message, like this: 

       

      <img class="invalid" my-invalid-attr="invalid" src="/valid/valid.jpg"/>

      The invalid attributes need to be stripped of, otherwise Lithium will not allow this message to be saved.

       

      I could copy all the lithium allowed elements/attributes into a custom utils.html.stripper.from.owasp.. But problem then, if Lithium decides to change the rules regarding html/attributes, it would potentially brake as invalid message..

       

      When using the default lithium TinyMCE editor, the backend 'cleans' the message if it contains illegal elements/attributes, sends it back to the client for review and users re-send the message. Is there a way to inherit that flow, by using the 'clean' method Lithium uses itself?

       

      Thanks