1 Topic by theallan

  • theallan
  • Member
  • Offline

Topic: Allowing multiple classes

Hi,

I'm using Vanilla Forum which uses Htmlawed as part of its security measures and I'm facing an issue with allowing multiple classes to be defined on an element.

Vanilla is configured to automatically strip the `class` attribute (through `deny_attribute`) unless the class given matches a whitelist of classes (via `{tags}=class(oneof={...}`). That works for a single class, but in my case I need to allow an element to have multiple classes and I can't see a way to do that.

Looking at the Htmlawed source `oneof` uses a simple `==` between the allowed classes and the value - there is no option to split the class list up. I wondered about using `match`, but all of `hl_attrval` looks like it is an all or nothing - it can't manipulate the attribute's value to remove certain parts (the classes not on the whitelist).

Is there any way this might be possible?

This a continuation of a discussion in the Vanilla forum (https://vanillaforums.org/discussion/31804/htmlawed-and-allowing-classes#latest) - I think its probably more appropriate to ask here now that I've narrowed the issue down a little.

Thanks,
Allan

2 Reply by theallan

  • theallan
  • Member
  • Offline

Re: Allowing multiple classes

One other thing that was suggested in the Vanilla forum was to give the full string for the classes I want to allow with the spaces included, which I tried, but it looks like spaces are stripped out in `hl_spec` so unfortunately that method doesn't work.

Unless I'm missing something, there just doesn't appear to be a way to allow multiple classes on an element in Htmlawed with white listing at the moment?

Allan

3 Reply by patnaik

  • patnaik
  • Administrator
  • Offline

Re: Allowing multiple classes

You are right: code modification is needed to have this feature. This feature should have been there from the beginning, so thanks for posting.

I should be able to modify the code and test it today. With the mod., besides the 'oneof' and 'noneof', there will be a 'someof' specification. I will also have to think of the implementation for the separator (space, comma...).

4 Reply by theallan

  • theallan
  • Member
  • Offline

Re: Allowing multiple classes

`someof` sounds absolutely perfect - thanks!

5 Reply by patnaik

  • patnaik
  • Administrator
  • Offline

Re: Allowing multiple classes

The new, 1.1.22 (5 March 2016) release of htmLawed provides this feature.

For 'accesskey', 'class' and 'rel' attributes, that can have multiple, space-separate values, htmLawed now tests each value individually. I did not have to put in the new 'someof' specification.