开发者

Is there another way to fix Yesod's nicHtmlField?

开发者 https://www.devze.com 2023-03-25 05:00 出处:网络
I\'ve been rewriting my (fairly simple) website using Yesod as a way to get familiar with the framework. Part of that involves serving some simple static (but formatted) content. To do that I decided

I've been rewriting my (fairly simple) website using Yesod as a way to get familiar with the framework. Part of that involves serving some simple static (but formatted) content. To do that I decided to use the nicHtml field that is described in the Yesod book:

http://www.yesodweb.com/book/forms

It allows simple formatting and, as the book says, "thanks to the xss-sanitize package, all user input is validated and ensured to not have XSS attacks."

However, all is not well. Some formatting seems to work when you enter it into the field, but gets wiped out somewhere between entry and submission. In particular, the form uses css embedded in 'style' attributes to do things like center t开发者_开发百科ext, and it is these css based formatting elements that seem to get wiped out.

I used print statements to check that it wasn't my code which was somehow messing it up. Since it doesn't seem to be, I assume that xss-sanitize doesn't like any embedded css and removes it. Modifying Yesod.Form.Nic to remove the call to sanitizeBalance appears to fix the problem, so that would seem to be the cause.

Now, I can just leave it like that, since editing these static pages requires being a trusted user anyway (i.e. me at the moment), so I don't care too much about validating out nastiness. But it feels like what it is, a hack, so my question is - is there any other way around this? Or is there another package I don't know about that provides a non-broken HTML editor field for Yesod?


Will you file a bug on the Yesod issue tracker for this? I think we are going to have to allow basic css through the editor no matter which editor we use. In your case of a trusted user, right now you could find the NicEdit field type and create a similar type that won't get filtered at all. Perhaps we should create such a field.


We're actually looking at other possible rich text editors right now for use in the Yesod website, so most likely whatever we use there will end up with a module in yesod-form. Most recently Greg pointed out Aloha editor which on first glance looks pretty cool.

0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号