Welcome to Geeklog, Anonymous Friday, May 24 2024 @ 03:48 am EDT

Question: Why does Geeklog remove certain HTML tags?

Answer: Starting with Geeklog 1.3.8-1sr1 (and retrofitted into 1.3.7sr3), Geeklog uses an HTML filter called kses, developed by Ulf Harnhammar and others. This filter removes any HTML tags that are not in one of the two lists of allowed HTML tags in config.php.

Geeklog uses two lists so that Admin users (StoryAdmins, actually) can use a broader set of HTML tags than normal users. The two lists, therefore, are $_CONF['user_html'] for normal users and $_CONF['admin_html'] for Admin users. The Admin list is actually an extension of the user list, so that Admins can use all the HTML tags from any of the two lists. When an HTML tag is included in both lists, the definition in the Admin list overrides that from the user list, so that you can allow Admins to use more attributes than normal users (see below for examples).

An example should make things clearer. Assume we want to allow the use of the strong tag for all our users. So we add the following line to the $_CONF['user_html'] list in config.php (for Geeklog 1.5 and later, see below):

    'strong' => array()

(make sure that the line before this new line ends with a comma).

This will now allow any user (normal users and Admins) to use the strong tag when posting stories and comments in HTML mode. Should they try to add any attributes, e.g. the style attribute, then those will be stripped, as the empty array() tells the kses filter that no attributes are allowed.

Any attributes that should be allowed to be used with an HTML tag have to be listed with that tag. So say, for example, we want to allow the style attribute with the strong tag, but only for the Admins (for security reasons - see below). So we add the following line to $_CONF['admin_html']:
    'strong' => array('style' => 1)

For Admins, this will override the (stricter) definition of the tag (in $_CONF['user_html']) that did not allow any attributes, so that Admins can now use the style attribute with the strong tag while normal users can only the use the tag without any attributes.

Geeklog 1.5 and later
As of Geeklog 1.5.0, the user and admin HTML lists are available in the Configuration admin panel (under 'Miscellaneous'). The idea is the same as above: You add the allowed HTML tags and for each tag, you add the allowed attributes. The only difference is that you don't use the array() syntax for the attributes any more - simply enter their names (see the existing attributes).

Security considerations
Please be very careful when you allow new tags and attributes to be used, especially when allowing them for normal users. The style attribute, that we used in the example above, can be used to deface a site and may also be used to inject malicious JavaScript code (although the kses filter should usually catch those).

Another popular request is to allow the img tag so that users can link to images. It is, however, dangerous to allow the use of the img tag as it may be used to trick certain browsers into executing remote scripts. If at all, you should only allow that tag for your StoryAdmins. The definition would look like this:
    'img' => array ('src' => 1, 'width' => 1, 'height' => 1, 'alt' => 1)

You may want to add other attributes (e.g. 'border' and 'title') as well.

Hits: 328

FAQ » Usage » Why does Geeklog remove certain HTML tags?