I noticed that Bbcode filter delete

tags. So i cannot use full features of slideshare embed widget (BBcode) with twitter embed widget (script tags), which uses script tag to load javascript library. Of course it can be done by custom editing of the body content, but i requires more experiences for editor users. Any idea? Thanx all

Comments

nileshgr’s picture

nileshgr commented
Status: Active » Postponed (maintainer needs more info)

What do you mean by delete tags ?

boreg’s picture

boreg commented

Sorry, i meant the <script> html tag

nileshgr’s picture

nileshgr commented
Assigned: boreg » Unassigned

If your Input Format has HTML Filter enabled, then disable it and process HTML first then BBCode.

naudefj’s picture

naudefj commented
Status: Postponed (maintainer needs more info) » Closed (works as designed)

For security reasons we cannot allow users to enter script tags.

boreg’s picture

boreg commented
Assigned: Unassigned » boreg
Status: Closed (works as designed) » Postponed (maintainer needs more info)

Its not issue of other filters. I disabled all of them. There is just only BBcode filter enabled. When i disable it, everything works fine - except transforming BBcode to html naturally :)

naudefj’s picture

naudefj commented
Assigned: boreg » naudefj
Category: bug » support
Priority: Normal » Minor
Status: Postponed (maintainer needs more info) » Closed (fixed)

This module will always encode script tags to prevent XSS html injection attacks. The only way it is ever going to be allowed is if you can somehow recommend a way of making it safe to use.

PS: Last time I checked I was the maintainer, and since I don't need more info, this issue is closed.

boreg’s picture

boreg commented
Assigned: naudefj » boreg
Category: support » bug
Priority: Minor » Normal
Status: Closed (fixed) » Postponed (maintainer needs more info)

I search the module files and found that bbcode filter alter script tags in function "function _bbcode_filter_process" on line 10 of file bbcode-filter.inc. I tried to comment the line,

#$body = preg_replace(array('#<script([^>]*)>#i', '#</script([^>]*)>#i'), array('&lt;script\\1&gt;', '&lt;/script\\1&gt;'), $body);

and it works, but it would be much more better to add condition based on selected settings in bbcode filter settings (/admin/settings/filters/[filternumber]/configure).

There are other filters to avoid XXS injection which are better customizable (e.g. htmlpurifier) adn cause of this logic, its not possible to use embedding e.g. twitter (uses script tag) + slideshare (uses bbcode) together on one page.

Pls understand this as suggestion for new feature to extended scalability of this great module.

nileshgr’s picture

nileshgr commented

At the first place, why you're using bbcode to format the twitter block!?
Script tag filtering is a must.

boreg’s picture

boreg commented

At the first place, why you're using bbcode to format the twitter block!?

I'm not using the bbcode to format twitter block as i mentioned in my post ;). Im using twitter (script tag) and slideshare (bbcode) portlets on one same page. So if bbcode strips SCRIPT tag, the twitter portlet is deleted. It's out of the logic - bbcode should be for formating bbcode, not for stripping other non-bbcode tags.

david.pache@gmail.com’s picture

david.pache@gmail.com commented

I agree with #10.

benanne’s picture

benanne commented

I don't suppose this is going to make a difference since it seems that this module is no longer maintained, but I'm having the same problem right now. I'm trying to get embedded Twitter widgets working with oEmbed. The embed filter has to run before the BBCode filter, because that also processes URLs.

So this creates a catch 22: if I set the BBCode filter to run before the Embed filter, it processes all the URLs and the embed filter can no longer find them. If I set the Embed filter to run before the BBCode filter, the BBCode filter will remove the script tag in Twitter embeds.

Since the very first filter in my input format is already stripping all HTML tags, I suppose I can just do like #7 and comment this line without worrying about XSS attacks.