User Tools

Site Tools

:: Version 2.6.0 ::



This shows you the differences between two versions of the page.

Link to this comparison view

2_6_0:admin:rich_text_limitations [2019/01/09 16:40]
2_6_0:admin:rich_text_limitations [2020/02/05 11:42] (current)
Line 1: Line 1:
 +====== Rich Text Formatting limitations ======
 +Starting with iTop 2.3.0, some fields (for example the case log entries and the ''​description''​ of Tickets) support rich text formatting.
 +This formatting is implemented using HTML markup. This is convenient for displaying in the browser, on-line WYSIWYG editing and importing from HTML emails. However inserting any kind of HTML markup inside a web-based application is not acceptable since it opens the door to all kind of malicious injections. Therefore the HTML markup always passes through a //​sanitization process// before being recorded into the iTop database. This sanitization is based on a //​white-list//​ for the HTML tag names, attributes and styles.
 +  - Any tag not present in the //tags white-list//​ is completely removed (including the sub-tags)
 +  - Any attribute not present in the //​attributes white-list//​ ( for the considered tag) is removed
 +  - Any style not within the //styles white-list//​ is removed
 +  - Last but not least, the only URL schemes accepted (in ''​href''​ and ''​src''​ attributes) are ''​http:'',​ ''​https:'',​ ''​mailto:''​ and ''​data:''​.
 +<note tip>The tag ''​style''​ and the attributes ''​id''​ and ''​class''​ are completely banned, since they may interfere with the behavior of the application. HTML formatting is only supported via the semantic of the tags (''​i'',​ ''​strong'',​ etc) and inline CSS styles (via the ''​style''​ attribute on some tags). Note that at the time of the writing this rule is consistent with web based email clients like gmail.</​note>​
 +<note important>​These //​sanitization rules// apply to any HTML stored in iTop, so they apply to the rich text entered via a copy/paste or imported from an email when using the "​Ticket creation from eMails"​ extension.</​note>​
 +===== Tags and attributes white-list =====
 +The following tags are preserved when sanitizing the HTML to be stored in iTop. For each tag, the table below lists the attributes which are allowed.
 +^ HTML Tag ^ Allowed attributes ^
 +|a|''​href'',​ ''​name'',​ ''​style'',​ ''​target'',​ ''​title''​|
 +|font|''​face'',​ ''​color'',​ ''​style'',​ ''​size''​|
 +|img|''​src'',''​style'',​ ''​alt'',​ ''​title''​|
 +|table|''​style'',​ ''​width'',​ ''​summary'',​ ''​align'',​ ''​border'',​ ''​cellpadding'',​ ''​cellspacing''​|
 +|td|''​style'',​ ''​colspan''​|
 +===== Styles white-list =====
 +The following //styles// are the only items allowed inside a ''​style''​ attribute (for the tags for which ''​style''​ is allowed):
 +''​background-color'',​ ''​border'',​ ''​border-collapse'',​ ''​bordercolor'',​ ''​cellpadding'',​ ''​cellspacing'',​ ''​color'',​ ''​float'',​ ''​font'',​ ''​font-family'',​ ''​font-size'',​ ''​font-style'',​ ''​height'',​ ''​margin'',​ ''​padding'',​ ''​text-align'',​ ''​vertical-align'',​ ''​width'',​ ''​white-space''​
 +<note important>​The background color of a text (or an area) will be lost if it is specified via the forbidden ''​background''​ CSS style property, but preserved if specified via the more specific ''​background-color''​ CSS property.</​note>​
 +===== Disabling the Sanitizer =====
 +Also not recommended,​ a Configuration Parameter can disable the HTML Sanitizer:
 +  * ''​HTMLDOMSanitizer'':​ default, ​
 +  * ''​HTMLPurifierSanitizer'':​ ??? 
 +  * ''​HTMLNullSanitizer'':​ no sanitizing at all.
 +  '​html_sanitizer'​ => '​HTMLNullSanitizer',​