User Tools

Site Tools

:: Version 2.6.0 ::

2_6_0:admin:rich_text_limitations
Translations of this page:

Rich Text Formatting limitations

Starting with iTop 2.3.0, some fields (for example the case log entries and the description of Tickets) support rich text formatting.

This formatting is implemented using HTML markup. This is convenient for displaying in the browser, on-line WYSIWYG editing and importing from HTML emails. However inserting any kind of HTML markup inside a web-based application is not acceptable since it opens the door to all kind of malicious injections. Therefore the HTML markup always passes through a sanitization process before being recorded into the iTop database. This sanitization is based on a white-list for the HTML tag names, attributes and styles.

  1. Any tag not present in the tags white-list is completely removed (including the sub-tags)
  2. Any attribute not present in the attributes white-list ( for the considered tag) is removed
  3. Any style not within the styles white-list is removed
  4. Last but not least, the only URL schemes accepted (in href and src attributes) are http:, https:, mailto: and data:.

The tag style and the attributes id and class are completely banned, since they may interfere with the behavior of the application. HTML formatting is only supported via the semantic of the tags (i, strong, etc) and inline CSS styles (via the style attribute on some tags). Note that at the time of the writing this rule is consistent with web based email clients like gmail.

These sanitization rules apply to any HTML stored in iTop, so they apply to the rich text entered via a copy/paste or imported from an email when using the “Ticket creation from eMails” extension.

Tags and attributes white-list

The following tags are preserved when sanitizing the HTML to be stored in iTop. For each tag, the table below lists the attributes which are allowed.

HTML Tag Allowed attributes
ahref, name, style, target, title
bNone.
bigNone.
blockquotestyle
bodyNone.
brNone.
captionNone.
centerNone.
citeNone.
codeNone.
codestyle
delNone.
divstyle
emNone.
fieldsetstyle
fontface, color, style, size
h1style
h2style
h3style
h4style
hrstyle
htmlNone.
iNone.
imgsrc,style, alt, title
insNone.
kbdNone.
legendstyle
listyle
navstyle
olstyle
pstyle
preNone.
qNone.
sNone.
sampNone.
sectionstyle
smallNone.
spanstyle
strongNone.
tablestyle, width, summary, align, border, cellpadding, cellspacing
tbodystyle
tdstyle, colspan
thstyle
theadstyle
trstyle
ttNone.
uNone.
ulstyle
varNone.

Styles white-list

The following styles are the only items allowed inside a style attribute (for the tags for which style is allowed):

background-color, border, border-collapse, bordercolor, cellpadding, cellspacing, color, float, font, font-family, font-size, font-style, height, margin, padding, text-align, vertical-align, width, white-space

The background color of a text (or an area) will be lost if it is specified via the forbidden background CSS style property, but preserved if specified via the more specific background-color CSS property.

Disabling the Sanitizer

Also not recommended, a Configuration Parameter can disable the HTML Sanitizer:

  • HTMLDOMSanitizer: default,
  • HTMLPurifierSanitizer: ???
  • HTMLNullSanitizer: no sanitizing at all.
'html_sanitizer' => 'HTMLNullSanitizer',

2_6_0/admin/rich_text_limitations.txt · Last modified: 2019/01/09 16:40 (external edit)

";