Greetings,
I'm running several blogs with MovableType 2.661. One thing I've noticed is that the Sanitize feature seems to cover not just user-submitted data, but data that I've entered myself via Comment listing templates. In these templates, I have links to comment author urls, which contain an "a" tag with "class" and "onClick" information. Since the default sanitize spec allows only "href" in the "a" tag, my class and onClick tags are stripped.
While I do think it's great and proper for these tags to be stripped from incoming data, it's a slight annoyance that they are also stripped at runtime from code I have written.
For the moment, I have set a global sanitize spec override in mt.cfg so that onClick and class are permitted with a tags. Obviously this is very dangerous, but I do want comment posters to be able to use HTML, and I do want my own template code to work.
If there was some sort of a compromise where "Allow HTML In Comments" could be on, but sanitize would check only user input, and ignore the tags in the actual template code, that would work for me. I don't want to disable it globally, but at this point it's the only workable option I have.
I hope this makes sense to you all... let me know if you need clarification.
Thanks!
Full Version: [Bug/Feature?]Sanitization of Templates
QUOTE (prwood @ Mar 22 2004, 08:49 PM)
Greetings,
I'm running several blogs with MovableType 2.661. One thing I've noticed
I'm running several blogs with MovableType 2.661. One thing I've noticed
Sorry, accidentally hit enter while posting. Will have full version up soon. ;-)
Full version up now. See above!
Hmmm. I've not seen any situation where Sanitize applies to my templates in addition to the specific tags. For example, I use class and onmouseover in my templates with no problems.
How are you writing the code? Can you post a sample here with the CODE buttons?
How are you writing the code? Can you post a sample here with the CODE buttons?
I have only seen this in the "Comment Listing Template". It does not happen in my index templates. Here is a code snippet:
In this snippet, the "onClick" and "class" attributes of my "a" tags would be removed at runtime. They still exist in the template itself, but when the MT comment listing script runs, and processes the template file, it strips them out.
Again, this only happens with the comment listing template. In other templates, such as my main index, my "a" tags remain untouched by sanitized.
It seems that there is not a logical separation of sanitizing user-supplied code versus sanitizing my template code. The stuff in between the " " after the href tag should be sanitized, since the user put it there... but other than that, I have put the "onClick" and "class" attributes in myself, and they should not be touched.
CODE
<span class="EntryFooter">Posted at <$MTCommentDate$> by <$MTCommentAuthor$> <MTIfNonEmpty tag="MTCommentURL">[<a href="#curr" class="bloglink" onCli
ck="window.open('<$MTCommentURL$>');">url</a>]</MTIfNonEmpty> <MTIfNonEmpty tag="MTCommentEmail">[<a href="mailto:<$MTCommentEmail s
pam_protect="1"$>" class="bloglink">email</a>]</MTIfNonEmpty> </span>
ck="window.open('<$MTCommentURL$>');">url</a>]</MTIfNonEmpty> <MTIfNonEmpty tag="MTCommentEmail">[<a href="mailto:<$MTCommentEmail s
pam_protect="1"$>" class="bloglink">email</a>]</MTIfNonEmpty> </span>
In this snippet, the "onClick" and "class" attributes of my "a" tags would be removed at runtime. They still exist in the template itself, but when the MT comment listing script runs, and processes the template file, it strips them out.
Again, this only happens with the comment listing template. In other templates, such as my main index, my "a" tags remain untouched by sanitized.
It seems that there is not a logical separation of sanitizing user-supplied code versus sanitizing my template code. The stuff in between the " " after the href tag should be sanitized, since the user put it there... but other than that, I have put the "onClick" and "class" attributes in myself, and they should not be touched.
If I use the code without the MTIfNonEmpty tags, it works fine.
If I use the code as is, not only do those things get stripped, but I don't get a correct result on the MTCommentURL tag (meaning, there is a URL but it generates no content whatsoever, not even the URL itself).
Applying a sanitize="0" attribute to the MTIfNonEmpty tags gets the second pair to work fine (the email address), but the first still isn't affected.
So the problem seems to be with the MTIfNonEmpty tag, I just haven't figured out the pattern yet.
If I use the code as is, not only do those things get stripped, but I don't get a correct result on the MTCommentURL tag (meaning, there is a URL but it generates no content whatsoever, not even the URL itself).
Applying a sanitize="0" attribute to the MTIfNonEmpty tags gets the second pair to work fine (the email address), but the first still isn't affected.
So the problem seems to be with the MTIfNonEmpty tag, I just haven't figured out the pattern yet.
QUOTE (girlie @ Mar 22 2004, 03:51 PM)
Applying a sanitize="0" attribute to the MTIfNonEmpty tags gets the second one to work fine (the email address), but the first one still isn't affected.
I added the sanitize="0" to both of the MTIfNonEmpty tags, and that worked for both the URL and Email. I don't know what's wrong with the URL on your end, but it worked for me and put the URL in the proper place.
One question about this, though. Does the sanitize="0" apply to all data contained within those tags, including the MTCommentEmail and MTCommentURL? In other words, would putting sanitize="0" on those tags also turn off sanitization for the $MT$ values within them? And would I then need to manually set sanitize="1" on those tags?
As for your URL not showing up: I do know that since I'm using an onclick, when you go to your browser and hover over your link, it won't show the actual link -- it will just show the url for the current page since "href" points to "#curr". Is that what you're seeing, or is the URL just not getting put in at all?
As long as you can see the URL, I won't sweat it - I might have something else going on (it's a test blog, so there's crap all over 
).
I have no idea really about how the sanitize will work on the tags inside since I don't even think they should work the way they are now (on MTIfNonEmpty), but in either case, it seems to me the safest route is to put sanitize="1" on the relevant tags. Won't hurt, could help.
).I have no idea really about how the sanitize will work on the tags inside since I don't even think they should work the way they are now (on MTIfNonEmpty), but in either case, it seems to me the safest route is to put sanitize="1" on the relevant tags. Won't hurt, could help.
QUOTE (girlie @ Mar 22 2004, 04:05 PM)
it seems to me the safest route is to put sanitize="1" on the relevant tags. Won't hurt, could help.
I've decided to use this method for the time being.
I'm actually poking around in the MT code right now to see how exactly code is sanitized, so maybe I will come to a better understanding of this, but the logic right now doesn't make much sense to me.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.