Advertisement:

Author Topic: Allow HTML "class" attribute  (Read 405 times)

Offline Ivan F.

  • Newbie
  • *
  • Posts: 8
Allow HTML "class" attribute
« on: July 12, 2018, 11:08:44 AM »
Hello people  :)

I need to allow the HTML "class" attribute for all users in my forum, in order to call an external 100% sure script.

I've already allowed basic HTML in settings.
So, users can now post links with HTML, such as:

Code: [Select]
<a href="http://mylink.com">Link</a>
But if they try to use the "class" attribute inside:

Code: [Select]
<a href="http://mylink.com" class="myclass">Link</a>
They obtain this:
Code: [Select]
<a href="http://mylink.com" class="myclass">Link[/url]
Two questions:
1.
How do I add the "class" attribute to the allowed tags list?
(after that, I guess that my forum will close the </a> tag)
2. Allowing this attribute poses a concrete security risk?

Thanks a lot!

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 69,459
    • StoryBB/StoryBB on GitHub
Re: Allow HTML "class" attribute
« Reply #1 on: July 12, 2018, 11:18:29 AM »
1.not without fairly significant changes to the way all of the preparsing is done to make this work 100% correctly.

2. Needs to be implemented carefully as if not implemented correctly, this could easily become a nasty issue.

Why do your users need to add classes exactly?
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline Ivan F.

  • Newbie
  • *
  • Posts: 8
Re: Allow HTML "class" attribute
« Reply #2 on: July 12, 2018, 11:55:17 AM »
Why do your users need to add classes exactly?

Because the correct "class" can call the Embedly script, allowing rich previews and audio/video embedding.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 69,459
    • StoryBB/StoryBB on GitHub
Re: Allow HTML "class" attribute
« Reply #3 on: July 12, 2018, 12:05:24 PM »
What does that offer that the existing embed mods do not?
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline Ivan F.

  • Newbie
  • *
  • Posts: 8
Re: Allow HTML "class" attribute
« Reply #4 on: July 12, 2018, 12:38:04 PM »
What does that offer that the existing embed mods do not?

A single solution to embed links, audio and video with rich previews.

Are there mods that can generate rich previews from links?
Didn't find any, but I'd sure prefer to install a mod than allowing new HTML tags.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 69,459
    • StoryBB/StoryBB on GitHub
Re: Allow HTML "class" attribute
« Reply #5 on: July 12, 2018, 12:50:08 PM »
Depends what sites you want to preview, really...
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline Ivan F.

  • Newbie
  • *
  • Posts: 8
Re: Allow HTML "class" attribute
« Reply #6 on: July 12, 2018, 12:58:45 PM »
Depends what sites you want to preview, really...

Well, any site I can link some news from.
So, I was trying to allow the Embedly script.

Do you know if some sort of documentation about allowing a single non-risky (hopefully) HTML attribute exists?

Offline Illori

  • Project Manager
  • SMF Master
  • *
  • Posts: 49,991
Re: Allow HTML "class" attribute
« Reply #7 on: July 12, 2018, 01:05:07 PM »
do you think your users would really remember to use html with the class when they add links to their posts? i bet they would not remember or not care to do it.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 69,459
    • StoryBB/StoryBB on GitHub
Re: Allow HTML "class" attribute
« Reply #8 on: July 12, 2018, 01:22:01 PM »
Nlt to mention that embedding as proposed is potentially a GDPR problem...
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline Ivan F.

  • Newbie
  • *
  • Posts: 8
Re: Allow HTML "class" attribute
« Reply #9 on: July 12, 2018, 01:24:55 PM »
do you think your users would really remember to use html with the class when they add links to their posts? i bet they would not remember or not care to do it.

Honestly, I don't think will be a problem.
We'll add a custom button to automatically insert HMTL code, with the same behaviour of BBCode buttons.

Anyone can help me with my original question?
1. How do I add the "class" attribute to the allowed tags list?

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 57,237
  • Gender: Male
    • Kindred-999 on GitHub
Re: Allow HTML "class" attribute
« Reply #10 on: July 12, 2018, 01:29:07 PM »
if you want to allow class to be autoparsed, when pasting the link <a href... tag, then you are talking about a serious rewrite of code, with security and other connotations.

if you want to allow a class argument in the BBC URL tag, then (in theory) just have to modify the URL BBC in subs.php with one, maybe three lines.

but that assumes that people will TYPE

[url class=blahblah]

around the link
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline Ivan F.

  • Newbie
  • *
  • Posts: 8
Re: Allow HTML "class" attribute
« Reply #11 on: July 12, 2018, 02:12:48 PM »
if you want to allow class to be autoparsed, when pasting the link <a href... tag, then you are talking about a serious rewrite of code, with security and other connotations.

Thanks a lot, Kindred.

I understand we are talking about a good amount of work and, above all, of risk.
So, I think it's better to abort this project. I'll explore other solutions.