Can you please take a look to the RichTextArea component in platform version 7.2.7? There I noticed an old bug behavior.
The bug “HTML Sanitization breaks RichTextArea formatting on text with empty lines #2780 ” is still acitve in platform version 7.2.7.
Regards,
Mark
durygin
(Gleb Durygin)
August 31, 2020, 3:47pm
#3
Hello, @Mark.Lembeck !
Unfortunately, I could not reproduce above problem on platform version 7.2.7. Could you share the test project, where this case will be reproduced?
Regards,
Gleb
Enclose you can find a simple test project.
Regards,
Mark
Here is the project: testproject.zip (412.9 KB)
Is this project I deleted the content of the deployment folder. The content was to big for the upload.
durygin
(Gleb Durygin)
September 1, 2020, 2:15pm
#8
Hello @Mark.Lembeck !
You have some HTML tags that HtmlSanitizer
does not know and therefore removes them.
The original HTML (HtmlSanitizer disabled):
<pre class="CodeRay highlight"><code data-lang="xml"><span class="tag"><data></span>
<span class="tag"><instance</span> <span class="attribute-name">id</span>=<span class="string"><span class="delimiter">"</span><span class="content">customerDc</span><span class="delimiter">"</span></span> <span class="attribute-name">class</span>=<span class="string"><span class="delimiter">"</span><span class="content">com.company.sample.entity.Customer</span><span class="delimiter">"</span></span> <span class="attribute-name">view</span>=<span class="string"><span class="delimiter">"</span><span class="content">_local</span><span class="delimiter">"</span></span><span class="tag">></span>
<span class="tag"><loader</span><span class="tag">/></span>
<span class="tag"></instance></span>
<span class="tag"></data></span></code></pre>
<code><span class="tag"><data></span>
<span class="tag"><instance</span> <span class="attribute-name">id</span>=<span class="string"><span class="delimiter">"</span><span class="content">customerDc</span><span class="delimiter">"</span></span> <span class="attribute-name">class</span>=<span class="string"><span class="delimiter">"</span><span class="content">com.company.sample.entity.Customer</span><span class="delimiter">"</span></span> <span class="attribute-name">view</span>=<span class="string"><span class="delimiter">"</span><span class="content">_local</span><span class="delimiter">"</span></span><span class="tag">></span>
<span class="tag"><loader</span><span class="tag">/></span>
<span class="tag"></instance></span>
<span class="tag"></data></span></code>
The HtmlSanitizer
removed the <pre/>
tag and data-lang
attribute of <code/>
tag. We have an issue to add new tags for HtmlSanitizer
- Add new html tags for HtmlSanitizer · Issue #2803 · cuba-platform/cuba · GitHub .
As a workaround, you can override the HtmlSanitizer
and add the required tags to your project.
Create a CustomHtmlSanitizer
class and override initDefaultPolicyFactory
method:
package com.company.testproject.web.sanitizer;
import com.haulmont.cuba.web.sys.sanitizer.HtmlSanitizer;
import org.owasp.html.AttributePolicy;
import org.owasp.html.CssSchema;
import org.owasp.html.ElementPolicy;
import org.owasp.html.HtmlPolicyBuilder;
import org.owasp.html.Sanitizers;
import static com.haulmont.cuba.gui.components.HtmlAttributes.CSS.FONT;
public class CustomHtmlSanitizer extends HtmlSanitizer {
@Override
protected void initDefaultPolicyFactory() {
super.initDefaultPolicyFactory();
policyFactory = new HtmlPolicyBuilder()
.allowCommonInlineFormattingElements()
.allowAttributes(FONT_COLOR_ATTRIBUTE_NAME).matching(FONT_COLOR_PATTERN).onElements(FONT)
.allowAttributes(FONT_FACE_ATTRIBUTE_NAME).matching(FONT_FACE_PATTERN).onElements(FONT)
.allowAttributes(FONT_SIZE_ATTRIBUTE_NAME).matching(FONT_SIZE_PATTERN).onElements(FONT)
.allowAttributes(CLASS_ATTRIBUTE_NAME).matching(CLASS_PATTERN).globally()
.allowStandardUrlProtocols().allowElements(A_ELEMENT_NAME)
.allowAttributes(HREF_ATTRIBUTE_NAME).onElements(A_ELEMENT_NAME).requireRelNofollowOnLinks()
.allowAttributes(TARGET_ATTRIBUTE_NAME).matching(true, TARGET_ATTRIBUTE_VALUES)
.onElements(A_ELEMENT_NAME).requireRelsOnLinks(NOOPENNER_REL_VALUE, NOREFERRER_REL_VALUE)
.allowElements(ElementPolicy.IDENTITY_ELEMENT_POLICY, "pre") // <pre/> tag
.allowAttributes("data-lang").matching(AttributePolicy.IDENTITY_ATTRIBUTE_POLICY)
.onElements("code")// data-lang attribute
.allowStyling(CssSchema.withProperties(DEFAULT_WHITELIST))
.allowStyling(CssSchema.withProperties(getAdditionalStylePolicies()))
.toFactory()
.and(Sanitizers.FORMATTING)
.and(Sanitizers.BLOCKS)
.and(Sanitizers.IMAGES)
.and(Sanitizers.STYLES)
.and(Sanitizers.TABLES);
}
}
Add CustomHtmlSanitizer
into web-spring.xml
file:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:gui="http://schemas.haulmont.com/cuba/spring/cuba-gui.xsd">
<!-- Annotation-based beans -->
<context:component-scan base-package="com.company.testproject"/>
<gui:screens base-packages="com.company.testproject.web"/>
<bean id="cuba_HtmlSanitizer" class="com.company.testproject.web.sanitizer.CustomHtmlSanitizer"/>
</beans>
Regards,
Gleb
Ok, understood.
In the past it was possible to paste any html content into the richTextArea component. After pasting the content to the component it was also possible to change the format of the content. Now it is only possible if I disable the HtmlSanitizer or if I implement a CustomHtmlSanitizer. Correct?
Regards,
Mark
durygin
(Gleb Durygin)
September 2, 2020, 8:29am
#10
Hello, @Mark.Lembeck !
If you disable HtmlSanitizer
using RichTextArea#htmlSanitizerEnabled(false)
method, then there is no need to implement CustomHtmlSanitizer
class, since the value in the component will not be sanitized and will be presented unchanged. Also, you can achieve the same result by setting the htmlSanitizerEnabled
attribute to false in the XML descriptor.
If you want to save the sanitization mechanism for the component, then you need to implement the CustomHtmlSanitizer
class.
Regards,
Gleb
Ok, thank you for this explanation and your support.
Regards,
Mark