html tags permits

kyrd Member
edited May 17 in General support

hi there, I know i'm old-fashioned but is there any way to avoid zenphoto overriding my preferences in writing content? (using zenphoto 1.5.7 + zenpage theme)

I understand that preventing malicious use of forms is an important feature but IMHO preventing my own personal use of html tagging in my texts is malicious as well.
In this way not only my lay-out but also my text formatting are under scrutiny by zenphoto, just like it happens in WP!

I've tried to add and/or modify the allowed tags in admin-options but "the system" didn't accept me doing that.
I find it's too generic to set alltogether the permits for "comments, descriptions and other fields".

Isn't it possible to split the "allowed tags" from comments -which are obviously a target for external attacks- and my own use of html in my own content?

(i.e. what is the ratio to exclude attribute "name" from tag \< a >? or my favourite \< dl > \< dt > \

and \< del > ? and how am I supposed to add a form for a paypal button?)
«1

Comments

  • acrylian Administrator, Developer
    edited May 12

    You should be able to add "tags" in the option actually if you follow the way they are defined. What does happen if you do? Just nothing?

    These are not only for tags but also for basic sanitizing of contents and some filtering internally. So it is currently not that easy to do so and certainly not for 1.5.8 coming soon.

    However in the 1.5.8RC there are some additions as there have been some other oversights for the defaults.

    The name attribute is not an allowed attribute for <a> elements as it is not one of the global ones.
    https://developer.mozilla.org/de/docs/Web/HTML/Element/a

    Paypal buttons actually work fine: https://www.zenphoto.org/pages/donations/

    Definition lists actually as wel despite indeed missingl: https://www.zenphoto.org/news/zenphotos-global-variables/

    But it all also depends on if you are using the tinymce editor or not asthat also does some filtering. It is enabled by default normally and we use it as well.

  • kyrd Member

    tinymce editor? no, I don't use it, what's that? ;-)

    When I've tried to add all together the tags I wanted to use, the verification system didn' allow me doing that.

    After some testing I've succeded to enter separately, meaning one by one, \< dl > \< dt > \< dd > and \< del >
    Added succesfully as well the attribute "name" in tag \< a > (it's in texts I've written long time ago, when it was of common use and not yet deprecated... )

    But if I write < form > or < input > the system rejects it, I don't understand how to add i.e. paypal

  • acrylian Administrator, Developer
    edited May 12

    Perhaps tinymce to make your life easier ;-)

    You need to enter the items as the existing are like this

     dl =>(class=>() id=>())
     dt =>(class=>() id=>())
     dd =>(class=>() id=>())
    

    Forms will be incuded by default in 1.5.8. Definition lists and <del> we forgot but will add them.

    Added succesfully as well the attribute "name" in tag \< a > (it's in texts I've written long time ago, when it was of common use and not yet deprecated... )

    Note that it will be invalid HTML technically as it is not only deprectated but not allowed in HTML5 as all Zenphoto themes use HTML5, at least the official ones.

  • kyrd Member

    Note that it will be invalid HTML technically as it is not only deprectated but not allowed in HTML5 as all Zenphoto themes use HTML5, at least the official ones
    thanks for pointing me that, I wasn't aware of

    however I still don't get how to add the paypal thing

  • acrylian Administrator, Developer
    edited May 12

    thanks for pointing me that, I wasn't aware of

    It's not a huge showstopping validation issue but will ceraintly be noted if you test with a validator.

    What is the exact problem with the paypal button? That's just a simple form with a link and an image as on our page, right?

  • kyrd Member

    ok, after some testing I could finally manage to add all the required tags and attributes (e.g. form & input) which at the previous attempts were refused by the system.

    apparently the system was not happy to get all the mods in one go, I had to add them all one by one (and sometimes had to repeat as not always was accepted at the first time).

    there could have been some typo by my side but I've checked many times: pretty weird behaviour

    [btw in admin-options.php?page=options&tab=general

    there is a typo:
    in the italian translation there are two closing parenthesis instead of one - as those in the form field:

    Seguire la forma tag => (attributo => (attributo=> (), attributo => ()...))

    while in english there are three closing parenthesis

    Follow the form tag => (attribute => (attribute=> (), attribute => ()...)))

    ]

  • acrylian Administrator, Developer

    there could have been some typo by my side but I've checked many times: pretty weird behaviour

    Surely not normal behaviour. Any errors in the logs?

    in the italian translation there are two closing parenthesis instead of one - as those in the form field:

    That's something @bic would have to fix ;-)

  • fretzl Administrator, Developer
    edited May 14

    in the italian translation there are two closing parenthesis instead of one - as those in the form field:

    There are things messed up there. Too many open/close parenthesis.
    Please take a close look at syntax. It should look like this:
    form => (action=>() method=>() accept-charset=>() id=>() class=>() title=>() name=>() target=>() lang=>())

    Maybe a shorter example helps:
    col => (class=>() id=>() lang=>())

  • kyrd Member

    yes, I did it, note that in english there are 3 closing parenthesis in the text

  • fretzl Administrator, Developer

    yes, I did it, note that in english there are 3 closing parenthesis in the text

    That's not the case in 1.5.8RC however.
    I think it's better to use the reset to default button, on the right of the Allowed tags options, and start over.

  • fretzl Administrator, Developer

    Sigh..., I completely missed the fact that you meant the text in the explanation next to the option. Sorry.

  • kyrd Member

    No problem, maybe I wasn't clear enough: it's so easy to misunderstand each other ;-)

  • kyrd Member

    Let me add here just one more little problem I've noticed, that has puzzled me for quite some time.

    The system strips off an attribute which is set as allowed by default in admin option. This is how my html looks like in my admin-edit page:

     <a href="#mail">Sending images</a>
     <!-- which links to a header on the same page -->
    ...
    <h4 id="mail">mail address</h4>
    

    but the id attribute effectively is stripped off in my page source, while is still there in the admin-edit page!

    Any idea on how do I solve this?

  • acrylian Administrator, Developer

    First, what edit page exatly, second which theme are you using.

    With text editor or without texteditor as the editor also does some parsing itself.

    Generally is text content parsed by a validator - either a library or if your sever supports a native PHP extension - so if for some reason an id is not unique on your text content it may be removed.

  • kyrd Member
    First, what edit page exatly, second which theme are you using.
    

    .../zp-core/zp-extensions/zenpage/admin-edit.php?page&update

    With text editor or without texteditor
    

    NO text editor

    if for some reason an id is not unique on your text content it may be removed
    

    that's not the case, every id I've tried is stripped off in my page source, while remaining alive in its admin-edit page

    tried a temporary workaround

    <span id="mail"></span>
    

    but that too is stripped off from html! :-(

  • acrylian Administrator, Developer

    My colleague just reminded me that might be related to sort of a bug with the filtering we were not able to solve. This happens for some reason sometimes.

    Try to use a codeblock - if the theme supports it - instead of the main text content.

  • acrylian Administrator, Developer
    edited May 15

    Need to remind me by looking at code: In fact this is an issue of the general sanitizing but not related to the allowed tags option at all as that is not used for displaying text content. We're re-investigation on this again right now.

  • acrylian Administrator, Developer

    Please try the 1.5.8RC for some change regarding this.

  • kyrd Member

    ok, I've reinstalled and tested the page: problem solved ! :-)

  • acrylian Administrator, Developer

    Great, thanks!

  • bic Member, Translator

    Hi @acrylian I'll look at the translation asap, thanks. For some reasons, I don't get email notifications when I'm tagged here in the forum. I have all the notification enabled on my profile settings.

  • acrylian Administrator, Developer
    edited May 18

    I have no idea why the notifications would not work for you. For me they do but of course I am on admin level additionally. Is the mail here really correct?

    How about subscribing to the RSS feed perhaps?

  • bic Member, Translator

    I've checked in the spam folder too but nothing. I used to receive email notifications from here some time ago anyway.
    I'll try with RSS, tough I've not any RSS reader active at the moment. I'll setup one hopefully.

    PS
    I'm experimenting an annoying antispam delay between replies too, that's why I'm replying this late.

  • acrylian Administrator, Developer

    Perhaps somehow your mailprovider blocks the forum mails for some unknown reason… No idea sadly.

    I'm experimenting an annoying antispam delay between replies too, that's why I'm replying this late.

    What do you mean excatly? We have something in place so no one can "flood" things here indeed.

  • bic Member, Translator
    edited May 19

    I've changed the email address. I got the verification email, so this one should work.

    What do you mean excatly? We have something in place so no one can "flood" things here indeed.

    A 300 seconds delay between posts :-(

    You have posted 1 times within 60 seconds. A spam block is now in effect on your account. You must wait at least 300 seconds before attempting to post again.

  • bic Member, Translator

    By the way, the string to be fixed in translation, for which @acrylian tagged me, is now changed in latest build and there are some typos in english too, like some messed up spaces.
    Follow the form: <em>tag</em> =&gt; (<em>attribute</em> =&gt; ()<em>attribute</em>=&gt; () <em>attribute</em> =&gt; ()....etc.)
    Should be perhaps
    Follow the form: <em>tag</em> =&gt; (<em>attribute</em> =&gt;() <em>attribute</em>=&gt;() <em>attribute</em> =&gt;()....etc.)

  • fretzl Administrator, Developer

    Thanks. Fixed in the Support build

  • bic Member, Translator

    Thanks @fretzl
    I'm going to commit the translation right now.

    PS
    I didn't get any notification from here about your reply, even with the new email address which is a gmail one.

  • acrylian Administrator, Developer

    I didn't get any notification from here about your reply, even with the new email address which is a gmail one.

    @bic Hm, if you enabled all you should get one as you participated. Did you get this one being referenced directly?

  • bic Member, Translator

    No, I didn't. I got your mail tough, so we can continue this conversation privately.

Sign In or Register to comment.