Blog Documentation Book a Demo
Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanilla 1 html parsing

fernandofernando
edited May 2006 in Vanilla 1.0 Help
I notice that a lot of the html I was able to parse in 0.9.x is not passing through in version 1.
I added the 'raw html' extension, but that's raw html, and it doesn't correct the previous posts.

Currently everything looks pretty bad that's been formatted using the 0.9.x html parser, and strangely enough it looks worse when the user goes back in and edits, selecting the 'raw html' option and reposting.

Vanilla's ability to make room for adding files, music, embedded media,flash players,and stuff is a reallyattractive part of Vanilla, so I'd like to add the old functions back into the html parser of version 1.

I don't have a copy of the old file, and the new function is an extension. I searched, but didn't find an answer. Can anyone give a little direction to me so that I could add in the missing functions?

Comments

  • NickENickE New
    So, you want to know how you can modify the Html Formatter to give people more room in regard to what they post? If so, then I'd first like to warn you that doing this will open up security holes on your forum, but if you're ok with that then you should find a line in the html formatter that looks like this:"/<[\/]*(link|iframe|frame|frameset|object|embed|style|applet|meta)[^<]*?>/i" Simply take out the tag name (and one of the '|'s next to it) that you want to allow.
  • fernandofernando
    ok, yes. I know it opens security holes, but for now allowing form and embed actions is important enough to take that risk.

    Thank you.
  • fernandofernando
    I did this, and removed "embed, style, and object" and the corresponding " | " markers.

    The form, flash, and style work now.

    But the "embed src=" still doesn't parse.

    Wonder why, there's no other mention of "embed" in the extension.
  • jakob_rjakob_r
    further down in the function RemoveEvilAttribs there's a similar match-pattern which blocks "src". Take src out of there and it should work. Again a potential security problem.
  • ithcyithcy New
    this comes up often enough that maybe this extension should be renamed "secure html formatter" to contrast it with the raw html formatter.
  • fernandofernando
    That did the trick!

    Thank you!
  • lechlech
    Hmmm, Sirnot, maybe an idea for a future version of this, provide a dropdown list for the "recommended" settings and possibly allow an option to further restrict or allow which tags a user could allow via "custom settings" with comma or pipe seperated values. Save it to the application globals or it's own extension settings if the user wants to modify the values without digging directly into the extension.
  • NickENickE New
    Sounds like a lot of extra baggage...
  • MarkMark Vanilla Staff
    Word.
  • lechlech
    true I guess. :\
This discussion has been closed.