Save just rich text from Interweave? about interweave HOT 7 CLOSED

@wsrast It was mainly to avoid embedded URLs within the style attribute, like background URLs, from automatically requesting. I'd have to dig/research into it again to see whether it's still an issue.

Mainly stuff like this: https://stackoverflow.com/questions/4546591/xss-attacks-and-style-attributes

from interweave.

So <!-- /react-text --> and other similar markup is something that React does, not Interweave. The class names however are something that Interweave does, but removing those may be tricky.

I think your best bet is to parse the HTML yourself after Interweave does, and sanitize anything you don't want.

from interweave.

Got it. I will handle that somehow. I have another issue I opened on Stackoverflow.

Colors are not showing up. background color or text color are getting lost. Does anyone know of a default filter that turns them off or anyway I can turn oncolored text

I have created a function that I can pass text into that I want to display as rich text. I read in the readMe that some tags will never be displayed."The following tags and their children will never be rendered, even when the whitelist is disabled.applet, canvas, embed, frame, frameset, iframe, object, script, style"Does this mean that it is impossible to display text color or back color with Interweave?

This also breaks underline because of not displaying styles.

<span style=\"text-decoration: underline;\">this </span>

Here is an example of what I am trying to do:

static createRichTextElement(text){ return( <Interweave disableFilters content={"<p><strong>bold</strong></p><p><em>italic</em></p><p><span style='color: rgb(215, 30, 15);'>red color</span></p><p></p>"}/> ); }

Any ideas?

from interweave.

Only a very small subset of attributes are supported: https://github.com/milesj/interweave/blob/master/packages/interweave/src/constants.js#L224 The style tag is definitely not supported, and most likely will not be.

If you really need full control, you may just have to fork the project.

from interweave.

@milesj Is this blacklisting of the inline style attribute due to a specific security vulnerability? I've seen some vulnerabilities in older versions of IE alluded to, but nothing past IE8. Have any links to OWASP or another related site to explain the issue? We'd rather not open up a security vulnerability if we can help it, but our Kendo UI Editor control makes broad use of inline styles.

from interweave.

@milesj Thanks for that link. There's some good attack vectors there that we can look at while we evaluate a solution.

from interweave.

@milesj do you consider whitelisting the style attribute now ? Would love to be able to use it.

from interweave.