Enter chat.
Post an HTML link <a href="example.com/test">Test</a>.
The "Enter your text message here" button will be changed to a link to mysite.com/drupal/content/example.com/test.
Chatting in this room will become impossible until you send a normal message via "Chat" button and eventually refresh the site.


beejeebus’s picture

Version: 7.x-2.0 » 7.x-2.x-dev

huh, that doesn't sound good. patches welcome.

pikku-h’s picture

check_plain() and strip_tags() seem to be enough in chatroom_post_message() -function.
Like so:

  $message = array(
    'cid' => $chatroom->get('cid'),
    'uid' => $user->uid,
    'msg' => check_plain(strip_tags($_POST['message'])),
    'sid' => session_id(),
    'msg_type' => chatroom_get_message_type($_POST['message']),
    'recipient_uid' => 0,
    'modified' => time(),
    'anon_name' => isset($_POST['anonName']) ? check_plain(strip_tags($_POST['anonName'])) : '',

Of course this might be too strict for someone else.

beejeebus’s picture

Status: Active » Closed (works as designed)


we don't filter on the way in, only on the way out - we should always store the raw input.

on the way out, we run whatever filters are configured. if you allow full html, you allow full html.

if you don't want that, change the filter.