Opened 4 years ago
Last modified 16 months ago
#1781 new Enhancement
provide core method for object titles to be optionally stripped of tags
| Reported by: | dave | Owned by: | |
|---|---|---|---|
| Priority: | low | Milestone: | Near Term Future Release |
| Component: | Core | Version: | 1.7 |
| Severity: | trivial | Keywords: | |
| Cc: | brettp | Difficulty: |
Description
I think we should make it so that users can't insert imgs etc into the title fields of plugins. Anyone disagree or have a good reason why you would want users to be able to?
Change History (10)
comment:1 Changed 4 years ago by dave
- Resolution set to fixed
- Status changed from new to closed
comment:2 Changed 4 years ago by cash
- Resolution fixed deleted
- Status changed from closed to reopened
- I think it is reasonable to allow italics on blog titles.
- I strongly disagree with the change to the entities class to handle this. Metadata and the ElggEntities class should be kept as general as possible. Adding special exceptions like this can cause problems in the future through odd behavior and this does not set a good precedent.
If you decide to strip all or most tags out of titles for blogs, pages, etc, I recommend doing it in the ElggObject class since that is where the title is stored anyway. It could be done as part of the sanitization of the title string in create_object_entity(). Another (better) possibility is to do it on output rather than input. Add a method getTitle() to the ElggObject class and strip tags in that method. You can use that method to get the title string in all of your plugins while allowing plugin authors decide whether they want a stripped title or not. This would then allow a plugin author to create a plugin that does use an image as a title (and I know of wordpress plugins that allow people to use images as titles - stylized text).
comment:3 Changed 3 years ago by cash
- Component set to Core
- Milestone set to Elgg 1.7.1
- Priority changed from normal to high
- Severity set to major
- Summary changed from All titles on blogs, pages, files etc should not allow anything other than text to Stripping tags from titles breaks plugins
- Version set to 1.7
This change broke the external pages plugin. See #1937
If you want to strip tags, I still believe the best way to do this is by adding a getTitle method to the Elgg Object class and strip tags in there. That way each plugin has the option to store html tags in the title.
comment:4 Changed 3 years ago by cash
For 1.7.1, I think a good approach is to remove the stripping from ElggEntity and put it in the save action of each plugin. Then revisit for Elgg 1.8 by possibly adding a setTitle() method to ElggObject that will strip tags.
comment:5 Changed 3 years ago by cash
(In [svn:5504]) Fixes #1937, refs #1781 - stripping tags moved into plugin actions until better solution
comment:6 Changed 3 years ago by cash
- Milestone changed from Elgg 1.7.1 to Elgg 1.8
- Priority changed from high to normal
- Severity changed from major to minor
- Summary changed from Stripping tags from titles breaks plugins to provide core method for object titles to be optionally stripped of tags
- Type changed from Unconfirmed Defect to enhancement
comment:7 Changed 3 years ago by brettp
- Cc brettp, nickw added
- Difficulty set to trivial
- Priority changed from normal to low
- Severity changed from minor to trivial
See also #2515 re "Complete the set of getter methods."
comment:8 Changed 2 years ago by ewinslow
- Milestone changed from Elgg 1.8 to Elgg 1.8.1
comment:9 Changed 2 years ago by ewinslow
We shouldn't be stripping tags from titles at all. Instead, we should be escaping the output. That way I can title my blog post or page: "Dealing with <script> injection attacks" and not have it end up like "Dealing with injection attacks".
comment:10 Changed 16 months ago by cash
- Difficulty trivial deleted
- Milestone changed from Elgg 1.8.x to Near Term Future Release
- Owner dave deleted
- Status changed from reopened to new
Core commit [svn:3463] strips all tags on titles.