Open brianherbert opened 12 years ago
Re: Longer term: We need to look at including a proper html sanitization library and using it through out the code
strip_tags() only strip-off html tags, the url inside <a|img> tags will not be stripped off.
From #648 (closed as dupe): Don't trust strip_tags() - make sure we escape chars too. strip_tags is probably only good on well formed html - so we should run its output through specialchars() or similar too
Implement an HTML whitelist using -> http://htmlpurifier.org/
Hi Guys, I wanted to use Ushahidi for a special purpose - 360 Spherical panorama photography - reporting from our reporters. The incident_description after saving strips the html. I want to embed html codes like this in the pic The the output would be like this: The embed code is here: Can Anyone help me to enable the full html content support in the description output? I know the security risks but all the reports will be moderated. Thanks.
All output of reports, site messages and any other area that allows for HTML output need to be sanitized while still allowing presentation HTML tags. Additionally, the WYSIWYG editor should be restricted to only use approved tags.