search

processwire / processwire-issues

ProcessWire issue reports.
45 stars 2 forks source link

Purifier, ProcessPageEditLink, noindex and other custom rel attributes #1127

Closed Lazerproof closed 1 year ago

Lazerproof commented 4 years ago

Short description of the issue

On ProcessPageEditLink module configuration page we can define custom rel attributes for links.

image

But all custom attributes will get stripped after page save by Purifier.

Expected behavior

Get link inserted in CKEditor with custom rel attribute.

Actual behavior

For now, only nofollow attribute is allowed in MarkupHTMLPurifier module so it will not be stripped and noopener and norefferer attributes will be added.

Optional: Suggestion for a possible fix

We could add this code to "purifyValue" method of InputfieldCKEditor module so it will allow all rel options that defined in ProcessPageEditLink automatically. 

$relAttributes = $configData['relOptions'];
$relAttributesArray = array_unique(preg_split('/(\n|\s)/', $relAttributes, -1, PREG_SPLIT_NO_EMPTY));
if (count($relAttributesArray)) {
   self::$purifier->set('Attr.AllowedRel', array_values($relAttributesArray));
}

Also, it would be great to have control over noreffer attributes, as for now it gets added to all links that have 'target' property as for this option: http://htmlpurifier.org/live/configdoc/plain.html#HTML.TargetNoreferrer

Also, maybe we can have a hook that will allow configuring Purifier.

Setup/Environment

Toutouwai commented 4 years ago

Also, maybe we can have a hook that will allow configuring Purifier.

Yes please!

Without being able to configure HTML Purifier it is impossible to use data- attributes in a CKEditor field that has Purifier applied. This is pretty crippling IMO.

matjazpotocnik commented 1 year ago

@Lazerproof @Toutouwai in MarkupHTMLPurifier.php we now have this line:

$this->settings->set('Attr.AllowedRel', array('nofollow', 'noopener', 'noreferrer'));

Previously it was:

$this->settings->set('Attr.AllowedRel', array('nofollow'));

I understand it doesn't allow all of the rel options, but it covers most used. I guess having a hook would still be a good option and we should leave this issue open?

Toutouwai commented 1 year ago

@matjazpotocnik there is now a hookable method that allows for customising the HTML Purifier config: https://github.com/processwire/processwire-requests/issues/226#issuecomment-876867106 So all good now from my perspective.

matjazpotocnik commented 1 year ago

Thanks, Robin, for providing the link, I missed this one. Closing. @Lazerproof please reopen if needed.