search

monsieurbiz / SyliusRichEditorPlugin

This plugin add a rich editor on fields to be able to drag and drop elements and edit it.
MIT License
65 stars 37 forks source link

Sanitize HTML in Wysiwyg #115

Open armellarcier opened 3 years ago

armellarcier commented 3 years ago

I always end up with such saved code when pasting text in the pell Wysiwyg editor.

<p><span style="color: rgb(0, 0, 0); font-family: &quot;Open Sans&quot;, Arial, sans-serif; text-align: justify;">Sed interdum turpis a arcu cursus ultricies. Ut nec augue interdum, tempor tortor id, rhoncus ipsum. Donec viverra, nibh a elementum scelerisque, nisi erat ullamcorper lorem, vel molestie magna purus vel dolor. Praesent vel risus congue, gravida mi eu, consequat ligula. Donec dolor metus, tempor in finibus sed, mattis et felis. Sed convallis erat vitae sapien venenatis sodales. Etiam eu facilisis est. Aenean nec ex vestibulum, convallis lectus vitae, porttitor turpis.</span></p>

I think this should be cleaned up automatically without any user configuration needed as it seems to be the philosophy of this plugin to prevent UI breaking due to bad "client" content management. And it would be a security improvement.

Could be done through JS sanitizing on change events, on paste events (downvote from me) with a lib like https://github.com/apostrophecms/sanitize-html, and/or server-side.

It may be good to override the behavior and allow a specific list of tags/attributes in userland also.

https://github.com/jaredreich/pell/issues/53

armellarcier commented 3 years ago

114 fixes paste problems but removes formatting altogether. It's a very good thing but I reopen this for future improvements on content sanitization.

jacquesbh commented 3 years ago

I don't understand @armellarcier. What are the future improvements?

armellarcier commented 3 years ago

@jacquesbh pasting could keep tags that are allowed (h1,…) and only sanitize the rest instead of just pasting only raw text from the clipboard.

Again, this could be part of a bigger issue/feature on the mere possibility to completely customize the editor.

jacquesbh commented 3 years ago

Yes. I agree with you but it's too complicated to do so. Especially if we allow more tags and allow to change the default options of the editor.

Also, a tag is not only <h1> but could be <h1 id="…" class="…" data-*="…" …> etc.

So I think we will keep it this way and we won't improve the pasting by allowing some tags. Unless somebody wants to provide a full PR for it, for me this subject is a no go right now.

Sorry.