Hello, all,

Currently am wrestling with HTMLarea.

On a Drupal 4.6.2 install, I have the latest version of Xinha software (downloaded Aug. 11) running with version 4.6 of the module. I have duplicated the issue in Firefox and IE for Windows.

I have one role created (with one sample user in that role) in addition to the first account/Main Admin role.

I have set up the HTML Filter to accept the following tags:
<a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <b> <div> <sub> <sup> <br> <p> <blockquote> <img> (At various times in the toubleshooting process I have added html, body, head

I have also tried to solve the problem by enabling and disabling the "Strip tags" and "Remove Style Attributes" in admin/filters.

So here's the problem: When I post topics from the Main Admin Account, they post and display fine. When I attempt to post from the guest account, I get the "Terminated request because of suspicious input data." error message.

When I allow the guest role to bypass data input check, users in the guest role can post with no problems. Also, when posting, if I toggle the "view html" and manually strip out the html, head, and body tags added by htmlarea, the post can go through *if I post before returning to WYSIWYG view* If I return to WYSIWYG view, the html, head, and body tags are added back in, and I get the "Terminated request because of suspicious input data." error message.

So, it seems like the problem is being caused by the html, head, and/or the body tag. While I have set the input format to strip out non-approved tags, the problem still persists.

I have also cleared the cache after each settings change.

Also, all users could post with no problems before htmlarea was enabled.

So, here are my questions:

1. What configuration options am I missing that is causing the guest account to submit "suspicious data"?

2. What are the security risks involved with allowing users to bypass the data input check? My assumption is that that is not a good thing, as it could allow the posting of all types of nasty scripts no matter the other settings/filters on the site (such as disabling php in posts, etc).

I have seen the following threads:

This one is an issue reported as closed for the same problem I'm having, which gives me the impression that I have configured something incorrectly.

This post and this post are a little less conclusive.

Any help/suggestions are, as always, much appreciated.

Thanks,

bonobo

Comments

bonobo’s picture

Under the htmlarea config settings, I had enabled the "Full Page" plugin. I disabled that, and am good to go.

I love spending hours figuring out where I made the mistake :)

-------
http://www.funnymonkey.com
Tools for Teachers

mcbyke’s picture

"Under the htmlarea config settings, I had enabled the "Full Page" plugin. I disabled that, and am good to go."

That did it for me :-)

Thanks bonobo

bombaclot’s picture

Hi, I've found "input formats" and been through and through on that with no luc. Where do I find the:
htmlarea config settings and "Full Page" plugin, so that I can also disable it.
Looking very much forward to finding out!
Thanks alot.

bonobo’s picture

For 4.6, navigate to http://yoursite.com/admin/settings/htmlarea/plugins -- admin --> settings --> htmlarea --> plugins tab

I'm not running htmlarea on any 4.7 sites, so I don't know if the url would have changed.

Cheers,

Bill

-------
http://www.funnymonkey.com
Tools for Teachers

NaX’s picture

I am having the same problem. The thing that I find strange is that it does not happen all the time.
I did not have the "Full Page" plugin enabled so that cant be the problem. When I allowed the admin role to bypass the data input check then the the error stopped coming up for that role.

I think the problem is with htmlarea but I am not sure what to do. For now I am allowing to bypass the data input check, but I would prefer not to.

bonobo’s picture

settings do you have enabled on the "plugins" tab? Try disabling these settings one by one to see if you can make the problem go away.

Basically, if you can get htmlarea running cleanly with a stripped down set of options, you can then enable the options singly and find exactly what causes the problem.

Hope this helps,

bonobo

-------
http://www.funnymonkey.com
Tools for Teachers