Save html content to database

Save html content to database

ladokjohanladokjohan Posts: 15Questions: 3Answers: 0
edited January 2016 in Editor

Hi,

The DataTables table shows html content like line breaks (br) and links (a href) if it's already in the database. However, if I try to save a link (a href) from the editor (New or Edit buttons) to the database, the code is rewritten. How can I avoid that?

Example
If I write this in the editor:
<a href="https://editor.datatables.net/" target="_blank">DataTables</a>

It is saved as this in the database:
<a rel="nofollow" href="\" target="\">DataTables</a>

Thanks

Edit: changed to highlight code to look better in the forum

Answers

  • allanallan Posts: 65,252Questions: 1Answers: 10,814 Site admin

    What version of Editor is it that you are using? The 1.5.4 release shouldn't do any content removal like that.

    The issue is likely related to the XSS protection in Editor - it will strip out what it thinks is dangerous code. See the Editor security manual for details.

    Allan

  • ladokjohanladokjohan Posts: 15Questions: 3Answers: 0

    Thanks for your answer. I'm using v1.5.5.

    I have read the info you linked to and it seems to be related to XSS. However, the htmLawed website states:

    "By default htmLawed permits these schemes in URLs for the href attribute:
    aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet"

    If so, a common a href link starting with http would not be rewritten? But it is. If XSS can be used but allow links starting with http or https it would be great. If I want to disable XSS, where can it be done?

    Will I have problems with XSS if I use the CKeditor plugin too?

    A related question: which files need password protection to avoid unwanted users (to minimise the risk of dangerous code)?

  • allanallan Posts: 65,252Questions: 1Answers: 10,814 Site admin
    edited January 2016

    There is no Editor v1.5.5 release yet. It will likely be early next month before 1.5.5 is available.

    If so, a common a href link starting with http would not be rewritten?

    I don't think it should be. If you load this example and edit a record, adding your a string, then save the row, you'll see that it does correctly save and the href is retained.

    If I want to disable XSS, where can it be done?

    Use the Field->xss() method and pass in a single parameter: false.

    Will I have problems with XSS if I use the CKeditor plugin too?

    Probably since it would pass through the same code.

    A related question: which files need password protection to avoid unwanted users (to minimise the risk of dangerous code)?

    Any that provide the ability to edit your table should be behind whatever login system you are using.

    Allan

  • ladokjohanladokjohan Posts: 15Questions: 3Answers: 0

    An old discussion, but now I have a solution. Disabling XSS didn't solve the problem. It didn't add rel="nofollow" in the link code when XSS was disabled, but the link URLs were still removed. The solution was to replace \" with " in $val just before the // XSS removal / checker part in file Field.php. I think the problem may have to do with the PHP version on the server. The problem shows up on PHP v 5.3.3 but not on 5.4.3. I havn't been able to try it out on other versions.

  • allanallan Posts: 65,252Questions: 1Answers: 10,814 Site admin

    Thanks for noting this. The namespacing in the early 5.3 releases of PHP had all sorts of bugs. I'd recommend at least 5.3.10, or ideally one of the newer versions!

    Allan

This discussion has been closed.