Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

HTML tags doesn't appears in the rendered code

Hi All,
I have updated from 2.1 to the latest 2.3.1 version, and it brokes part of a plugin I've written before.
I'm calling this function DiscussionController_BeforeCommentBody_Handler() and at the end I have filled $Discussion->Body with the HTML code I want to print in the page. But all my formatting class disappears when the page is rendered. I mean if I var_dump($Discussion->Body) the result is properly formatted on the webpage, but then the same code, after the vanilla core process, doesn't contain my tags anymore. Which messed up all the formatting because the css classes are not called.

I have read the thread about BBCode renderer, but I have never used BBCode.

Any help?


  • Options

    Hey Bruno, you can add your custom classes to $this->AllowedClasses in the HtmlAwed plugin!

    HtmlAwed removes all classes that are not in that list from tags as a security feature.

  • Options
    edited September 2017

    Many thanks!

  • Options

    As I didn't find so easy to understand where to put my AllowedClasses, I post my solution in case others have the same needs.
    So the easiest (but maybe not the smartest) solution was to modify the plugins/HtmLawed/class.htmlawed.plugin.php: I have just added new lines in the "protected $allowedClasses = [" array at the end.

  • Options

    That's what I did myself as well.

    Another solution might be to add this line after line 145 ($this->safeStyles = c('Garden.Html.SafeStyles');)


    In this way you could add $Configuration['Plugins']['HtmLawed']['AllowedClasses']="class1,class2,class3"; to your config file, and allow class1,2 and 3 that way.

    In case there's an update to the HtmLawed plugin in a next Vanilla version, it's then trivial to re-add that line to the updated version, while if you add your classes to the allowedClasses array directly you have to copy/paste them over to the new plugin.

  • Options

    Thank for this precision. I was thinking of something like this, as I heavily use hooks in wordpress for example. I will go for your solution as it's smarter.

    But sadly, not all the things I have done before are working. Like some of my upload buttons and some forms fields which are not displaying, some javascript not running.
    Do you know what to modify so it doesn't filter anything? That way I would be able to compare with On/Off filtering and I will be able to find which rule I need to add.
    I have tried "protected $safeStyles = false;" but it doesn't work.

    In the HtmLawed examples I have see
    1. Simplest, allowing all valid HTML markup except uncommon URL schemes like 'whatsapp:'
    $out = htmLawed($in);

    but I don't understand exactly how to integrate it properly in the Vanilla plugin.

  • Options

    In case you don't want to filter anything, it's more convenient to bypass HtmLawed completely:

    The AfterCommentFormat event fires after HtmLawed/BBCode/Wysiwyg/other formatter did their thing, so if you then modify the body of the comment those formatters will leave it alone.

        public function DiscussionController_AfterCommentFormat_handler($Sender) {
            $Format = $Sender->EventArguments['Discussion']->Format;
            $Type = $Sender->EventArguments['Type'];
            if ($Type === 'Discussion') {
                $Body = &$Sender->EventArguments['Discussion']->FormatBody;
                $OwnID = $Sender->EventArguments['Discussion']->DiscussionID;
                $ParentID = $OwnID;
            } else {
                $Body = &$Sender->EventArguments['Object']->FormatBody;
                $OwnID = $Sender->EventArguments['Object']->CommentID;
                $ParentID = $Sender->EventArguments['Object']->DiscussionID;
            $Body.="<h2 onclick='alert(\"Hello world!\")'>Hello world</h2>";

    ^^ The above code will add "hello world" to the end of every comment and every discussion.

    Slight warning just to be sure (although it's probably unnecessary if you have experience writing Wordpress plugins): This disables all security checks of the stuff you're adding to the comments. So really take good care you're not accidentally opening up your users to XSS attacks by adding unsafe content to the safe comments!

  • Options

    Thanks! That works (even if in my case, I now have a problem of bad javascript execution).

    And just to clarify, in case this thread is read by another, I have put the code above in my class.mypluginfile.plugin.php file, at the end.

  • Options
    vrijvlindervrijvlinder Papillon-Sauvage MVP

    @bruno_dualo said:
    Thanks! That works (even if in my case, I now have a problem of bad javascript execution).

    Can you post the js ?

Sign In or Register to comment.