The aggregator module in 4.5 and 4.5.1 hardcodes the default "Filtered HTML" filter, as opposed to hooking into the filter.module system itself. This can cause problems for a number of feeds (see http://drupal.org/node/13283 for an example), since [IMG] is not one of the allowed tags. It also greatly causes issues for users of Flickr (see http://flickr.com/forums/help/2943/ for a Drupal specific issue). If aggregator.module could hook into the default filter.module, users would be able to create a "Aggregator" filter which includes tags they'd like to see (like [IMG]). The first stage of the feature should be "support a single filter for all aggregated items" and the second stage should be "support a specific filter for a specific feed, with a default for all unspecified". The default, out of the box, behavior, should be to use the "Filtered HTML" filter.

Files: 
CommentFileSizeAuthor
#2 aggregator.module_4.patch2.05 KBsillygwailo

Comments

Morbus Iff’s picture

sillygwailo’s picture

FileSize
2.05 KB

I agree that the aggregator should use Drupal's native input formats. In the meantime, though, attached is a patch that at least makes the list of HTML tags that the aggregator alllows configurable.

sillygwailo’s picture

Bump. My patch doesn't 'fix' the feature request, but I got some support from Karl Martino for adding an allowable elements setting for the aggregator module.

ricabrantes’s picture

Version: » 7.x-dev
Status: Active » Closed (fixed)

bump..

ricabrantes’s picture

Status: Closed (fixed) » Active
alex_b’s picture

Aggregator's HTML filter is an input filter, while Drupal's input formats are actually output filters.

I was never really sure why aggregator had these input filters, so I'm not principally opposed to dropping them in favor of output filters. But are we missing a security related issue here?

Morbus Iff’s picture

alex_b: I'm not sure I understand what you mean. Core's aggregator_filter_xss() is only used during a template's preprocess, which conceptually replicates the same functionality of Drupal's standard output filters. It'd only be a true input filter if the bad tags never makes it to the database in the first place - but that's not currently the case.

alex_b’s picture

#7 - Morbus, late reply: I misunderstood the patch above, aggregator_filter_xss() of course is an output filter.

Jody Lynn’s picture

Version: 7.x-dev » 8.x-dev
jhedstrom’s picture

Version: 8.0.x-dev » 8.1.x-dev
Issue summary: View changes

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.0-beta1 was released on March 2, 2016, which means new developments and disruptive changes should now be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.0-beta1 was released on August 3, 2016, which means new developments and disruptive changes should now be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.0-alpha1 will be released the week of January 30, 2017, which means new developments and disruptive changes should now be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.