Using with a Rich Text Editor: not rich anymore

Jan 15, 2012 at 2:04 AM

I was using an old version of Anti-XSS with a rich text editor (CkEditor).  It was working very great.  But when upgrading to latest version, I discovered the new sanitized is way too much aggressive and is removing almost everything "rich" in the rich editor, specially colors, backgrounds, font size, etc...  It's a disaster for my CMS!

Is there any migration path I can use to keep some of the features of the rich text editor and having at least minimal XSS protection ?

Jan 16, 2012 at 4:24 PM
Edited Jan 16, 2012 at 4:24 PM

I think you are having the same issue that my team is having : http://wpl.codeplex.com/workitem/17246

Please vote for this issue, if it is indeed the same issue you are having.

Coordinator
Jan 16, 2012 at 5:07 PM

Still investigating. It does seem to be too greedy now.

Jan 17, 2012 at 7:53 AM
Edited Jan 17, 2012 at 8:05 AM

I have the same question, how I keep the css style using Rich Text Editor.

Coordinator
Jan 22, 2012 at 10:43 PM

CSS will always be stripped now - it's too dangerous, but in other cases it is being too greedy, dropping hrefs from a tags for example. That is being looked at.

Jan 23, 2012 at 4:25 PM

Any new version planned soon?

Coordinator
Jan 23, 2012 at 4:27 PM

Yes, it's been looked at now. I can't give a timescale though.

Feb 1, 2012 at 8:11 PM

A very quick test on the 4.2 Sanitizer shows that it totally removes strong tags, h1 tags, section tags and as mentioned above strips href attributes from anchor tags. At this rate the output will soon be string.Empty. I hope that the next version will allow basic markup tags and restore the href to anchors.

Feb 1, 2012 at 8:15 PM

Agreed ;-)

We should be able to configure some "relaxation" on rules.  By examples, I would like some inline CSS instructions to pass.  I totally everything should be strictly enforced by default, but currently the only alternative is to deactivate it entirely, leaving no protection at all.

For me, it should be like a firewall : everything is locked by default, but you can open some "holes" in it.

Carl.

Feb 20, 2012 at 9:46 PM

This is absolute craziness. 4.2 breaks all kinds of compatibility. Precisely for this reason, I'm not upgrading.

Microsoft creates an even bigger security problem when it breaks compatibility this bad. Most of us have to roll back to an older version so that our users can still use our software.

Mar 5, 2012 at 6:52 PM

bchavez  - Not upgrading?  What is your website's URL  ;)  (PS don't answer that)

Mar 9, 2012 at 9:54 AM

So, just to get things straight, is this thing usable yet or not? We are well past the "couple of weeks" for source code, yet all I'm seeing is a load of code from 2008. I understand timescales in small projects can be fairly fluid, but as open source proponents have been known to say, enough eyes make bugs shallow.

Can we have a bit of an update please?

Alan

Mar 14, 2012 at 3:01 PM
Edited Mar 14, 2012 at 3:07 PM

I agree.  Sorry, but this is not "open" source, this is "spit something out when everything is perfect" source.  This is "we know best and we'll give it to you when we say it's ready" source.   "CodePlex.  Open Source Community, but we don't really mean open and you can't have the 4.2 source until 4.3 comes out, so you're not really part of what we mean by community."

 

This may be a bit harsh, but, come on, open up just a bit.

Apr 7, 2012 at 10:13 PM
Edited Apr 7, 2012 at 10:13 PM

3 months after my message, I can see there's nothing new.  I'm very sad by this.

Anybody knows another tool like WPL I can try ?

Carl.

Apr 10, 2012 at 7:00 AM
bdorrans wrote:

Yes, it's been looked at now. I can't give a timescale though.

Any updates on the "looked at" status?

May 23, 2012 at 11:31 AM

This is getting beyond a joke.

Honestly, if you aren't going to at least release the source code or fix the bugs, hand the project over to someone who will.

People are actually releasing software which depends on this rubbish. For example, the latest AjaxControlToolkit - check the "whats new" section: http://ajaxcontroltoolkit.codeplex.com/releases/view/87024

This is not open source. This isn't even a pimple squeezed by open source.

Please, release the sourcecode.

Jun 6, 2012 at 10:43 PM

Five months without a patch for this? Anyone have any alternatives for HTML sanitization they like?

Jul 7, 2012 at 11:32 AM

The june 2012 ajax toolkit release has an html agility pack based xss sanitizer. See http://stephenwalther.com/archive/2012/06/25/announcing-the-june-2012-release-of-the-ajax-control-toolkit.aspx for details.