Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Comments inside my posts are getting escaped by the filter and look like this:
<!-- technorati tags start -->
Technorati Tags: Drupal
<!-- technorati tags end -->
My Settings:
* Lines and paragraphs break automatically.
* Web page addresses and e-mail addresses turn into links automatically.
* Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <p> <br>
Comment | File | Size | Author |
---|---|---|---|
#7 | filter.module.allowHTMLComments.patch | 4.49 KB | harking |
#5 | filter.module.allowHTMLComments.patch | 903 bytes | harking |
Comments
Comment #1
DiGriz CreditAttribution: DiGriz commentedForgot some data...
FreeBSD 6.2-RC1
Server: Apache/2.2.3 (FreeBSD) mod_ssl/2.2.3 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.0 with Suhosin-Patch SVN/1.3.1
Comment #2
Steven CreditAttribution: Steven commentedThis was broken by #101775. I committed a fix that restores the old behaviour, which simply removed all HTML comments.
Note that leaving HTML comments in place is very bad from a security point of view, because of various browser inconsistencies in parsing them. It is better to be safe than sorry.
Comment #3
(not verified) CreditAttribution: commentedComment #4
harking CreditAttribution: harking commentedSteven, can you provide some examples of how enabling the HTML comments would be a security issue?
We currently need to utilize them in order to allow a standards compliant way of embedding flash video. See http://code.google.com/p/swfobject/
Thanks
Comment #5
harking CreditAttribution: harking commentedI've attached a small patch to the filter.module that enables HTML comments to pass through the filter. It needs more testing and is probably the wrong route to approach the problem. I'll have to read through the filter.module code again to find the correct way.
This patch adds
to the list of matches which will be passed into filter_xss_split. It also removes the > character as a match (probably incorrectly) in order to catch the case of
<!-- [if IE]>-->
being turned into<!--[if IE]>-->
Comment #6
harking CreditAttribution: harking commentedComment #7
harking CreditAttribution: harking commentedHere is an updated patch. It now is deactivated by default (filter will remove the html comments) and can be enabled per Input Format.
Tested using the following: regular comment, conditional comment, multi line comment, and SWFObject:
Comment #8
harking CreditAttribution: harking commentedComment #9
mcurry CreditAttribution: mcurry commentedsubscribing
Comment #10
drummThe conditional comments show exactly how HTML comments can do more than just commenting. I am not aware of other malicious uses offhand, but there may be cases where a browser interprets a specially-crafted comment.
You are already allowing object tags, the user can include remote applets, flash, movies and other plugins. Go ahead and just don't use HTML filtering in this case, such as the default Full HTML input format. Do make sure you trust users with permission to do this; know who they are and make sure they have an understanding of phishing and basic computer security.
Alternatively, use a module designed to embed media, such as http://drupal.org/project/emfield.
Comment #11
deviantintegral CreditAttribution: deviantintegral commentedThe patch in #7 works for me against Drupal 5.16. Pending a resolution about the validity of this I can do a full review.
I and others have written modules which use comments as markup for content. The main advantage is that when the input filters are disabled, the markup doesn't end up displaying to users (like how it would for img_assist's markup). I used this because I "did what core did", modelling after
<!-- break-->
. While for the object tag full HTML makes sense, there are many other use cases where it doesn't. This essentially represents an API change, so even if such markup is discouraged in the future, I think it should be supported for D5 (and possibly D6; haven't had a chance to test yet).In terms of browser security, comments are a part of the XHTML specification. If they are doing things beyond the spec that they shouldn't do, then IMO that's not our problem and it's up to the browser to be fixed.
Other modules which are affected by this can be found at a similar issue against HTML corrector at #222926: HTML Corrector filter escapes HTML comments.
Comment #12
drummIs this an API change? When did Drupal 5 support HTML comments passing through the HTML filters?
We have to consider browser security of what browsers actually do, not the specs.
This might want to be moved up to the development version.
Comment #13
neochief CreditAttribution: neochief commented#222926: HTML Corrector filter escapes HTML comments