EGroupware Stripping HTML Tags

mike_a 2010-08-12 02:27:08 UTC #1

Hi everyone,

I was trying to add the ‘style’ attribute to a div html tag in the wiki and became frustrated to learn that EGroupware strips the ‘style’ attribute from the div html tag. After 6 hours of debugging - and peeling back the onion - I finally found the html filters buried in ./phpgwapi/inc/class.html.inc.php. Although I could have simply edited the list of filters to allow the style attribute; I instead updated the code to allow the administrator to modify the filters in the ‘common preferences’ screen. I’ve created a couple diffs that I’ll post to the tracker.

Ralf_Becker_Stylite 2010-08-12 05:20:12 UTC #2

The code in svn allows some more html attributes compared to eg. 1.6,
not sure which version you tried.

I’ll have a look, thought I dont know if it’s something I want to leave
at the administrator, because it’s easy to open up EGroupware to XSS, if
you dont know exactly what you do.

Ralf

Hi everyone,

I was trying to add the ‘style’ attribute to a div html tag in the wiki and
became frustrated to learn that EGroupware strips the ‘style’ attribute from
the div html tag. After 6 hours of debugging - and peeling back the onion -
I finally found the html filters buried in
./phpgwapi/inc/class.html.inc.php. Although I could have simply edited the
list of filters to allow the style attribute; I instead updated the code to
allow the administrator to modify the filters in the 'common preferences’
screen. I’ve created a couple diffs that I’ll post to the tracker.

–
Ralf Becker
Director Software Development

Stylite GmbH
[open style of IT]

Morschheimer Strasse 15
67292 Kirchheimbolanden

fon +49 (0) 6352 70629-0
fax +49 (0) 6352 70629-30
mailto: rb@stylite.de

www.stylite.de
www.egroupware.org

Geschäftsführer Andre Keller,
Gudrun Müller, Ralf Becker
Registergericht Kaiserslautern HRB 30575
Umsatzsteuer-Id / VAT-Id: DE214280951

This SF.net email is sponsored by

Make an app they can’t live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev

eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers

mike_a 2010-08-12 13:03:46 UTC #3

I am running 1.7.003 revision 31658 - the latest from trunk i believe. I am
fully aware of the cern advisory and which tags/attributes are safe and which
are not but, like you said, most other administrators probably are not aware of
the risks.

As I wrote in my post to the tracker - creating a checklist of safe
tags/attributes and adding a preference screen in admin should be pretty
straight forward - for the core developer group. I would be happy to compile a
list of tags and attributes (in SQL format) which cern has regarded as safe if
someone (one of the core developers) wants to create the preference screen.

The code in svn allows some more html attributes compared to eg. 1.6,
not sure which version you tried.

I’ll have a look, thought I dont know if it’s something I want to leave
at the administrator, because it’s easy to open up EGroupware to XSS, if
you dont know exactly what you do.

Ralf

Hi everyone,

I was trying to add the ‘style’ attribute to a div html tag in the wiki and
became frustrated to learn that EGroupware strips the ‘style’ attribute from
the div html tag. After 6 hours of debugging - and peeling back the onion -
I finally found the html filters buried in
./phpgwapi/inc/class.html.inc.php. Although I could have simply edited the
list of filters to allow the style attribute; I instead updated the code to
allow the administrator to modify the filters in the 'common preferences’
screen. I’ve created a couple diffs that I’ll post to the tracker.
–
Ralf Becker
Director Software Development

Stylite GmbH
[open style of IT]

Morschheimer Strasse 15
67292 Kirchheimbolanden

fon +49 (0) 6352 70629-0
fax +49 (0) 6352 70629-30
mailto: [hidden email]

www.stylite.de
www.egroupware.org

Geschäftsführer Andre Keller,
Gudrun Müller, Ralf Becker
Registergericht Kaiserslautern HRB 30575
Umsatzsteuer-Id / VAT-Id: DE214280951

This SF.net email is sponsored by

Make an app they can’t live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev

eGroupWare-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/egroupware-developers

View message @
http://egroupware.219119.n3.nabble.com/EGroupware-Stripping-HTML-Tags-tp1103675p1105383.html

To unsubscribe from EGroupware Stripping HTML Tags, click here.