Sanitising HTML#

I'm intending to allow HTML in my comments, but I'm wary of introducing XSS vulnerabilities. I was planning to use the HTML Purifier library to sanitise the HTML, but I can't see a MODx event that fires when a new comment is posted. Is there any event that will include posting comments? How difficult would it be to add an event into the Jot code?

Thanks for any help ...

Cheers
Matt

Sorry, I don't have the answer to you question, but I just wanted to thank you for the tip! Html Purifier solves problems I was struggling with yesterday.

If we have "recommended tools" section on the forum we should put it there.

I have a modified version of Jot 1.1.3 which uses HTML purifier.
I wrote an extension class for the purifier that also changes <b> tags to <strong>, <i> tags to <em>, and <s>&<strike> tags to <del>.
I set a require for the extension class in jot.class.inc.php and then call the public static function Purify::Clean($_POST['content']);

It uses HTML Purifier 3.1.0, so of course it is PHP 5 only.

I would be happy to share my modifications with you if you are interested.

See it in action at my site: http://scottydelicious.com/

-sD-
Dr. Scotty Delicious, DFPA.

Quote from: Dr. at Jun 12, 2008, 06:06 AM

I would be happy to share my modifications with you if you are interested.

Yes please!

Cheers
Matt

First... Safety!
Make a backup of the folder "/assets/snippets/jot/".
Also, remember that this modification will only work on a server running PHP 5.
PHP 4 will throw fatal errors.

Download my Jot 1.1.3 modifications.

This archive unzips to a folder with the file "jot.class.inc.php". Upload this file to "/assets/snippets/jot/" and overwrite or replace the existing file.
There is also a folder in the archive called "includes". Upload the contents of this folder to "/assets/snippets/jot/includes/".

This is the class I wrote to purify the post as well as the HTML Purifier 3.1.0 library.

I have modified jot.class.inc.php to include my class and use it as a filter. Additionally, I have modified the jot class to send notifications as HTML instead of as plain text. This gives you a greater deal of flexibility in your notification templates.

-sD-
Dr. Scotty Delicious, DFPA.

There is a HTML purifier plugin for MODx, and it has been developped by the author of HTML purifier :
http://htmlpurifier.org/svnroot/htmlpurifier/trunk/plugins/modx.txt

You can also look at this thread :
http://modxcms.com/forums/index.php/topic,6604.0.html

And more recently :
http://htmlpurifier.org/phorum/read.php?3,1866

Quote from: davidm at Jun 16, 2008, 08:46 AM

There is a HTML purifier plugin for MODx, and it has been developped by the author of HTML purifier :

Yeah, I tried that. But the plugin works on content edited in the manager, and I'm not at all concerned about what is done in the manager. It's specifically comments that concern me, and the plugin won't do anything to those. (Will it? ... unless I'm missing something?)

Cheers
Matt

Quote from: Dr. at Jun 16, 2008, 04:36 AM

I have modified jot.class.inc.php to include my class and use it as a filter. Additionally, I have modified the jot class to send notifications as HTML instead of as plain text. This gives you a greater deal of flexibility in your notification templates.

Thanks Scotty ;-). I have some modifications of my own to Jot so I'll need to merge the two; it'll take me a week or so (I'm taking a break) but I shall report back!

Cheers
Matt

Quote from: davidm at Jun 16, 2008, 08:46 AM

There is a HTML purifier plugin for MODx, and it has been developped by the author of HTML purifier [...]

That's true, but it only fires on OnBeforeDocFormSave.
The trouble is, the appropriate events for purifying HTML only seem to be fired in the Manager
I guess what I should try is invoking OnBeforeDocFormSave from Jot.

Quote from: tuatara at Jun 16, 2008, 04:16 PM

Thanks Scotty ;-). I have some modifications of my own to Jot so I'll need to merge the two; it'll take me a week or so (I'm taking a break) but I shall report back!

Cheers
Matt

No problem Matt. I put this together when I was redesigning my site. I thought I was going to provide a WYSIWYG RTE for comments, but I find that HTML Purifiers AutoFormat.AutoParagraph and AutoFormat.Linkify work great, so at this point I am on the fence about adding an RTE.

-sD-
Dr. Scotty Delicious, DFPA.

Hello Dr. Scotty Delicious,

It's great to see that someone else has stepped up to the plate to have an updated plugin of HTML Purifier for Modx. There is a plugin, but it's somewhat untested as I don't use Modx, and it has problems with HTML Purifier 3.1 (I've got an updated version pending for that).

Would you like me to link to your plugin for Jot on the HTML Purifier home page?

Cheers,
Edward