mahara-contributors team mailing list archive

Thread
Date

[Bug 1843154] Re: Allowlist more modern, safe CSS 3 rules in HTMLPurifier

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Gold <1843154@xxxxxxxxxxxxxxxxxx>
Date: Sun, 25 Jul 2021 23:24:13 -0000
Reply-to: Bug 1843154 <1843154@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Enable the 'CSS.Proprietary' config in HTMLPurifier.

For security reasons disable opacity parameters using
'CSS.ForbiddenProperties'.

To test border radius works:

1 Add a Text block to a page
2 Add an image via the WYSIWYG button
3 Open Image formatting options in the modal popup
4 In 'Style (CSS)' enter "border-radius: 50%;" (without the quotes)
5 Submit the image form
6 Check that the image is circular (or oval depending on aspect ratio)
7 Save the block
8 Check that the image in the block is circular (or oval depending on aspect ratio)
9 Display the page
10 Check that the image in the block is circular (or oval depending on aspect ratio)

To test that Opacity has not been introduced.

1 Configure the block
2 Click the image and then click the Insert/edit image button
3 Open the Image formatting options and set the Style
  * Test with each of the following image styles:
  * "border-radius: 50%; -khtml-opacity:.50;"
  * "border-radius: 50%; -moz-opacity:.50;"
  * "border-radius: 50%; opacity:.50;"
  * Note: TinyMCE does display opacity
5 Save the block
6 The saved block should not have an opacity on the image
7 Configure the block
8 Click the image and then click the Insert/edit image button
9 Open the Image formatting options
10 Check the opacity style has been removed from the Style field.

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: mahara-contributors
https://bugs.launchpad.net/bugs/1843154

Title:
  Allowlist more modern, safe CSS 3 rules in HTMLPurifier

Status in Mahara:
  In Progress

Bug description:
  HTML purifier is stripping out border styles, e.g. <img style="border-
  radius:50%;"> which would allow images to be displayed in a circle
  without having to crop the image itself.

  It would be good to allow more modern CSS3 rules.

  Looking at what had been done for skins in bug #1264098 might help.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1843154/+subscriptions

References

[Bug 1843154] [NEW] Whitelist more modern, safe CSS 3 rules in HTMLPurifier
From: Kristina Hoeppner, 2019-09-08