[Added + more] Strip HTML and cut doesn't remove javascript

rubenreyes
Topic Author
Offline
Senior Member

11 years 11 months ago #38099 by rubenreyes

[Added + more] Strip HTML and cut doesn't remove javascript was created by rubenreyes

Hello, we are observing the following issue in FC 2.0.2 r1680:

We have a blog category, where we have set for the item intro text to be displayed, HTML stripped and cut.

There is an item where we have a piece of javascript code that looks like this:

Code:

<p>Some interesting text first.</p>
<script type="text/javascript">
document.write("<p>Hello world!</p>");
</script>

In the category view we see:

Some interesting text first. document.write("");

So we added the CDATA tags:

Code:

<p>Some interesting text first.</p>
<script type="text/javascript">
//<![CDATA[
document.write("<p>Hello world!</p>");
//]]>
</script>

and now we see:

In the category view we see:

Some interesting text first. //

It seems to me that the method flexicontent_html::striptagsandcut can be improved to completely remove any javascript code.

Thank you!

Please Log in or Create an account to join the conversation.

ggppdk
Offline
Administrator

11 years 11 months ago #38100 by ggppdk

Replied by ggppdk on topic [Added + more] Strip HTML and cut doesn't remove javascript

Hello,
please test 3 improvements:

in file components/com_flexicontent/flexicontent.helper.php

Replace line:

Code:

$cleantext = strip_tags($text);

with:

Code:

// Strip SCRIPT tags AND their containing code
$text = preg_replace( '#<script\b[^>]*>(.*?)<\/script>#is', '', $text );

// Add white-spaces at start/end of tags so that words will not be joined
$text = preg_replace('/(<\/[^>]+>)|(<[^>\/][^>]*>)/', ' $1', $text);

// Strip html tags
$cleantext = strip_tags($text);

// Replace multiple spaces, tabs, newlines, etc with a SINGLE whitespace so that text length will be calculated correctly
$cleantext = preg_replace('/[\p{Z}\s]{2,}/u', ' ', $cleantext);  // Unicode safe whitespace replacing

-- Flexicontent is Free but involves a big effort on our part.
Like the our support? (for a bug-free FC, despite having a long list of functions) Like the features? Like the ongoing development and future commitment to FLEXIcontent?
-- Add your voice to the FLEXIcontent JED listing with a 5-star...

Please Log in or Create an account to join the conversation.

micker
Offline
Administrator

11 years 11 months ago #38104 by micker

Replied by micker on topic [Added + more] Strip HTML and cut doesn't remove javascript

post your return to help team

FLEXIcontent is Free but involves a very big effort on our part.
Like the our support? (for a bug-free FC, despite being huge extension) Like the features? Like the ongoing development and future commitment to FLEXIcontent?
-- Add your voice to the FLEXIcontent JED listing reviews. Thanks![/size]

Please Log in or Create an account to join the conversation.