Sao: not render HTML tags in richtext widget

resteve · July 15, 2021, 5:11pm

Since issue9405 [1] [2], the text field that has HTML data and richtext widget, remove some basic tags (h1, h2, strong, table,…)

Propose

Allow add in custom.js which tag removed.

src/html_sanitizer.js

    Sao.HtmlSanitizer = {};
    Sao.HtmlSanitizer.tag_whitelist = {
        B: true,
        BODY: true,
        BR: true,
        DIV: true,
        FONT: true,
        I: true,
        U: true,
    };
    Sao.HtmlSanitizer.attribute_whitelist = {
        align: true,
        color: true,
        face: true,
        size: true,
    };

and finally in the custom.js, we could add more HTML tags that was not removed. Example:

// tag_whitelist
Sao.HtmlSanitizer.tag_whitelist['P'] = true;
Sao.HtmlSanitizer.tag_whitelist['STRONG'] = true;
Sao.HtmlSanitizer.tag_whitelist['H1'] = true;
Sao.HtmlSanitizer.tag_whitelist['H2'] = true;
Sao.HtmlSanitizer.tag_whitelist['H3'] = true;
Sao.HtmlSanitizer.tag_whitelist['H4'] = true;
Sao.HtmlSanitizer.tag_whitelist['H5'] = true;
Sao.HtmlSanitizer.tag_whitelist['H6'] = true;
Sao.HtmlSanitizer.tag_whitelist['TABLE'] = true;
Sao.HtmlSanitizer.tag_whitelist['THEAD'] = true;
Sao.HtmlSanitizer.tag_whitelist['TBODY'] = true;
Sao.HtmlSanitizer.tag_whitelist['TH'] = true;
Sao.HtmlSanitizer.tag_whitelist['TR'] = true;
Sao.HtmlSanitizer.tag_whitelist['TD'] = true;
Sao.HtmlSanitizer.tag_whitelist['FONT'] = true;

// attribute_whitelist
Sao.HtmlSanitizer.attribute_whitelist['CLASS'] = true;

To do this action, is required a patch to allow inherit tag_whitelist and attribute_whitelist - now defined a variable (var) in html_sanitizer.js -.

[1] Issue 9405: Possible XSS code execution on Text and Char fields in sao - Tryton issue tracker
[2] Sanitize RichtText fields content · tryton/sao@7cb4222 · GitHub

ced · July 15, 2021, 8:49pm

The HTML tag set is limited to ensure compatibility between both client implementations.

resteve · July 19, 2021, 6:14am

The default tag list not changed.

The proposal change definition tag/attribute_whitlist to allow custom project inherit in SAO custom.js

See review at Issue 10584: sao: allow inherit tag and attribute whitelist - Tryton issue tracker

resteve · July 19, 2021, 7:17am

See that the project (custom.js) where is defined witch tags render and the client. Not change the default tags.

The question is: how to render a HTML function field and render a table?

Example:

example.py

    demo = fields.Function(fields.Text('Demo), 'get_demo')

    def get_demo():
        return '<table><tbody><tr><td>Demo</td></tr></tbody></table>

views/example_form.xml

    <form>
        <field name="demo" widget="richtext" toolbar="0" yexpand="1" yfill="1"/>
    </form>

At v5.4 show a nice table rendered by html. Of course, the custom project, at the moment only support SAO client (the project decide the client that support)