CRITICAL SECURITY VERSION UPDATE:
https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.13

Purifier anomaly

almostcompletelyalmostcompletely
in Bug Reports

I want to be able to type in something like "< 1 day" into a rich text field (ie. "less than 1 day").

On a Fuel Page, on saving, the text is preserved correctly as it passes through Purifier (in HTMLPurifier_HTML5Config mode, in my case).

If I type the same text into a rich text field in a Simple Module, the text is transformed into "< 1>". It seems Purifier is closing the < to turn the stanza into a tag.

It looks like modules is doing something slightly different when calling Purifier?

Comments

  • adminadmin

    It seems likely that it may be due to the default security settings for a module. In the fuel/modules/fuel/config/fuel_modules.php file, line 37 of the $config['modules']['pages'] configuration, there is a line for sanitizing input which overwrites the default value of a module:

    'sanitize_input' => array('template','php'),

    There is also a mapping of functions that can be set in the MY_fuel.php config for module_sanitize_funcs. The default is:

    $config['module_sanitize_funcs'] = array(
    'xss' => 'xss_clean', 
    'php' => 'encode_php_tags', 
    'template' => 'php_to_template_syntax', 
    'entities' => 'htmlentities',
    'purify' => 'html_purifier',
);

    The actual sanitizing of the data happens in the fuel/modules/fuel/controllers/Module.php file on line 1200.

  • almostcompletelyalmostcompletely

    Perfect! Thanks.

Sign In or Register to comment.