Official: Redactor Composer now available in 0.7.1+
-
@phil said:
The new composer looks nice. Very impressive work.
Just one quick question. Are you doing server side HTML sanitization or are you completely relying on Redactor to provide clean HTML? If so, where is the server side code that does the sanitization.
OK, I've answered my own question. No server side sanitization. It's very easy to inject javascript code into a post for XSS.
I would strongly recommend not deploying this to a production site until server side html sanitization is implemented. If any of the devs would like to know how I XSS'd my test site, let me know.
-
@phil said:
@phil said:
The new composer looks nice. Very impressive work.
Just one quick question. Are you doing server side HTML sanitization or are you completely relying on Redactor to provide clean HTML? If so, where is the server side code that does the sanitization.
OK, I've answered my own question. No server side sanitization. It's very easy to inject javascript code into a post for XSS.
I would strongly recommend not deploying this to a production site until server side html sanitization is implemented. If any of the devs would like to know how I XSS'd my test site, let me know.
I've forked and am adding server side validation. Does redactor have a list of all the tags and attributes that pass it's validation? In order for server side validation to not mess things up, it needs to perform the same validation the client performs. It would be even more useful if the guys over at redactor made their client side validation code available in a separate library.
-
@phil they have a list of tags they *don't * take:
http://imperavi.com/redactor/docs/security/But no explicit list of ones they do. I can see from your pull request you've added a list. Is that one you took from somewhere specific or built yourself?
A huge thank you to you @phil for making a contribution to the Redactor composer plugin. Gold stars and dancing girls for you!*
(* gold stars not made of real gold. Dancing girls may or may not be dancing, may or may not be girls. Offer void in Utah)
-
@drew said:
@phil they have a list of tags they *don't * take:
http://imperavi.com/redactor/docs/security/But no explicit list of ones they do. I can see from your pull request you've added a list. Is that one you took from somewhere specific or built yourself?
I dug through the Redactor source to find what they were sanitizing against and made the list to match what they were doing.
A huge thank you to you @phil for making a contribution to the Redactor composer plugin. Gold stars and dancing girls for you!*
(* gold stars not made of real gold. Dancing girls may or may not be dancing, may or may not be girls. Offer void in Utah)
-
I've run into an issue (I've posted on github with no response) figured I would try here.
When activating redactor it seems I cannot compose a post in Safari, however, it works fine in chrome. Any thoughts on this. Others in github were able to reproduce the issue so its' not a theme issue.
Safari broken ยท Issue #4 ยท NodeBB-Community/nodebb-plugin-composer-redactor
Cant write text on safari browser, mac & iOS
GitHub (github.com)
-
anyone else having an issue when uploading file(s) they dont show up in the compose window, only the preview window
-
@chrismccoy I think you're talking about the default markdown composer, this thread is for the redactor composer, which is a wysiwyg and has no composer/preview split.
-
i have the default disabled, but markdown enabled, im guessing i have to disable the markdown plugin?
-
Safari bug fixed on my pull request https://github.com/NodeBB/nodebb-plugin-composer-redactor/pull/12
-
@chrismccoy file upload not yet working in Redactor Composer. We've got a bug report on the Github and hopefully a pull request incoming.
-
@alberto__segura Thank you very much for the pull request. It's been merged and new npm package released.
-
-
-
Just an informal heads up:
There is possibly some page load blocking bug related to perhaps deleting posts or adding images in the redactor (I'm not sure).
I just noticed in one of the test threads that I made for the new Redactor composer that it doesn't load the thread unless you do a page refresh (broken html?). But that thread has already been deleted before I realized that I should study it more closely and make a bug report, so ...
But I'll keep an eye out to see if it happens again.