Since issue9405 [1] [2], the text field that has HTML data and richtext widget, remove some basic tags (h1, h2, strong, table,…)
Propose
Allow add in custom.js which tag removed.
src/html_sanitizer.js
Sao.HtmlSanitizer = {};
Sao.HtmlSanitizer.tag_whitelist = {
B: true,
BODY: true,
BR: true,
DIV: true,
FONT: true,
I: true,
U: true,
};
Sao.HtmlSanitizer.attribute_whitelist = {
align: true,
color: true,
face: true,
size: true,
};
and finally in the custom.js, we could add more HTML tags that was not removed. Example:
// tag_whitelist
Sao.HtmlSanitizer.tag_whitelist['P'] = true;
Sao.HtmlSanitizer.tag_whitelist['STRONG'] = true;
Sao.HtmlSanitizer.tag_whitelist['H1'] = true;
Sao.HtmlSanitizer.tag_whitelist['H2'] = true;
Sao.HtmlSanitizer.tag_whitelist['H3'] = true;
Sao.HtmlSanitizer.tag_whitelist['H4'] = true;
Sao.HtmlSanitizer.tag_whitelist['H5'] = true;
Sao.HtmlSanitizer.tag_whitelist['H6'] = true;
Sao.HtmlSanitizer.tag_whitelist['TABLE'] = true;
Sao.HtmlSanitizer.tag_whitelist['THEAD'] = true;
Sao.HtmlSanitizer.tag_whitelist['TBODY'] = true;
Sao.HtmlSanitizer.tag_whitelist['TH'] = true;
Sao.HtmlSanitizer.tag_whitelist['TR'] = true;
Sao.HtmlSanitizer.tag_whitelist['TD'] = true;
Sao.HtmlSanitizer.tag_whitelist['FONT'] = true;
// attribute_whitelist
Sao.HtmlSanitizer.attribute_whitelist['CLASS'] = true;
To do this action, is required a patch to allow inherit tag_whitelist and attribute_whitelist - now defined a variable (var) in html_sanitizer.js -.
[1] Issue 9405: Possible XSS code execution on Text and Char fields in sao - Tryton issue tracker
[2] Sanitize RichtText fields content · tryton/sao@7cb4222 · GitHub