Moodle
  1. Moodle
  2. MDL-31577

HTMLPurifier strips display:block from images centered by TinyMCE

    Details

    • Workaround:
      Hide

      See patch attached.

      Show
      See patch attached.
    • Affected Branches:
      MOODLE_21_STABLE
    • Rank:
      38134

      Description

      It 'bug' affects glossary, but doesn't affect (web)pages or labels.

      An image inserted and centred by TinyMCE, POSTed to server:

      <p><img style="display: block; margin: auto;"
      src="http://dl.spbstu.ru/draftfile.php/13/user/draft/144307466/%D0%BE%D1%81%D0%B8.jpg"
      alt="" width="449" height="321" /></p>
      

      That image showed:

      <p><img style="margin: auto;"
      src="http://dl.spbstu.ru/draftfile.php/13/user/draft/144307466/%D0%BE%D1%81%D0%B8.jpg"
      alt="" width="449" height="321" /></p>
      

        Issue Links

          Activity

          Hide
          Michael de Raadt added a comment -

          Thanks for reporting that.

          I think this might affect more than glossary entries if it is happening in the HTML Purifier code.

          I looked up the definition of the option CSS.AllowTricky...

          http://htmlpurifier.org/live/configdoc/plain.html#CSS.AllowTricky

          ...which is described as...

          This parameter determines whether or not to allow "tricky" CSS properties and values. Tricky CSS properties/values can drastically modify page layout or be used for deceptive practices but do not directly constitute a security risk. For example, display:none; is considered a tricky property that will only be allowed if this directive is set to true.

          I'm no expert on how the purifier works, but I think the impact of that change would need to be considered seriously.

          Show
          Michael de Raadt added a comment - Thanks for reporting that. I think this might affect more than glossary entries if it is happening in the HTML Purifier code. I looked up the definition of the option CSS.AllowTricky... http://htmlpurifier.org/live/configdoc/plain.html#CSS.AllowTricky ...which is described as... This parameter determines whether or not to allow "tricky" CSS properties and values. Tricky CSS properties/values can drastically modify page layout or be used for deceptive practices but do not directly constitute a security risk. For example, display:none; is considered a tricky property that will only be allowed if this directive is set to true. I'm no expert on how the purifier works, but I think the impact of that change would need to be considered seriously.
          Hide
          Michael de Raadt added a comment -

          Thanks for reporting this issue.

          We have detected that this issue has been inactive for over a year. It was reported as affecting versions that are no longer supported.

          If you believe that this issue is still relevant to current versions (2.5 and beyond), please comment on the issue. Issues left inactive for a further month will be closed.

          Michael d.

          TW9vZGxlDQo=

          Show
          Michael de Raadt added a comment - Thanks for reporting this issue. We have detected that this issue has been inactive for over a year. It was reported as affecting versions that are no longer supported. If you believe that this issue is still relevant to current versions (2.5 and beyond), please comment on the issue. Issues left inactive for a further month will be closed. Michael d. TW9vZGxlDQo=
          Hide
          Michael de Raadt added a comment -

          I'm closing this issue as it has been inactive for over a year has been recorded as affecting versions that are no longer supported.

          This is being done as part of a bulk annual clean-up of issues.

          If you still believe this is an issue in supported versions, please create a new issue.

          Show
          Michael de Raadt added a comment - I'm closing this issue as it has been inactive for over a year has been recorded as affecting versions that are no longer supported. This is being done as part of a bulk annual clean-up of issues. If you still believe this is an issue in supported versions, please create a new issue.

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: