Hello people :)
I need to allow the HTML "class" attribute for all users in my forum, in order to call an external 100% sure script.
I've already allowed basic HTML in settings.
So, users can now post links with HTML, such as:
<a href="http://mylink.com">Link</a>
But if they try to use the "class" attribute inside:
<a href="http://mylink.com" class="myclass">Link</a>
They obtain this:
<a href="http://mylink.com" class="myclass">Link[/url]
Two questions:
1. How do I add the "class" attribute to the allowed tags list?
(after that, I guess that my forum will close the </a> tag)
2. Allowing this attribute poses a concrete security risk?
Thanks a lot!
1.not without fairly significant changes to the way all of the preparsing is done to make this work 100% correctly.
2. Needs to be implemented carefully as if not implemented correctly, this could easily become a nasty issue.
Why do your users need to add classes exactly?
Quote from: Arantor on July 12, 2018, 11:18:29 AM
Why do your users need to add classes exactly?
Because the correct "class" can call the Embedly script, allowing rich previews and audio/video embedding.
What does that offer that the existing embed mods do not?
Quote from: Arantor on July 12, 2018, 12:05:24 PM
What does that offer that the existing embed mods do not?
A single solution to embed links, audio and video with rich previews.
Are there mods that can generate rich previews from links?
Didn't find any, but I'd sure prefer to install a mod than allowing new HTML tags.
Depends what sites you want to preview, really...
Quote from: Arantor on July 12, 2018, 12:50:08 PM
Depends what sites you want to preview, really...
Well, any site I can link some news from.
So, I was trying to allow the Embedly script.
Do you know if some sort of documentation about allowing a single non-risky (hopefully) HTML attribute exists?
do you think your users would really remember to use html with the class when they add links to their posts? i bet they would not remember or not care to do it.
Nlt to mention that embedding as proposed is potentially a GDPR problem...
Quote from: Illori on July 12, 2018, 01:05:07 PM
do you think your users would really remember to use html with the class when they add links to their posts? i bet they would not remember or not care to do it.
Honestly, I don't think will be a problem.
We'll add a custom button to automatically insert HMTL code, with the same behaviour of BBCode buttons.
Anyone can help me with my original question?
1. How do I add the "class" attribute to the allowed tags list?
if you want to allow class to be autoparsed, when pasting the link <a href... tag, then you are talking about a serious rewrite of code, with security and other connotations.
if you want to allow a class argument in the BBC URL tag, then (in theory) just have to modify the URL BBC in subs.php with one, maybe three lines.
but that assumes that people will TYPE
[url class=blahblah]
around the link
Quote from: Kindred on July 12, 2018, 01:29:07 PM
if you want to allow class to be autoparsed, when pasting the link <a href... tag, then you are talking about a serious rewrite of code, with security and other connotations.
Thanks a lot,
Kindred.
I understand we are talking about a good amount of work and, above all, of risk.
So, I think it's better to abort this project. I'll explore other solutions.