Flash content not showing

Support requests, bug reports, etc. go here. Dedicated servers / VDS hosting only
User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Flash content not showing

Postby fox » 18 Mar 2013, 20:33

Yeah this looks like it should be a per-feed option. So is there a working htmlawed invocation that unblocks things? I tried to screw around couldn't make <video> show up.

Also, htmlawed seems half-dead. The author on the forum has been promising a new version with html5 support in June but alas.

Anyway, I can cook up the necessary plumbing to make it a per-feed option, but I'll need a htmlawed code. If we need to patch htmlawed that's ok too, I suppose, because of the above situation with new releases.

Cwiiis
Bear Rating Trainee
Bear Rating Trainee
Posts: 14
Joined: 15 Mar 2013, 14:37

Re: Flash content not showing

Postby Cwiiis » 18 Mar 2013, 20:58

This seems like a prime candidate for a plugin to me, if it were made possible (or is already possible) - a plugin that enables iframes/embeds/objects/other 'unsafe' tags on a configurable whitelist of domains/all domains.

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Flash content not showing

Postby fox » 18 Mar 2013, 21:39

Well there could be a ON_SANITIZE hook which would allow the plugin to do its stuff. I suppose both approaches are valid, yours is actually less work for me.

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Flash content not showing

Postby fox » 18 Mar 2013, 22:27

https://github.com/gothfox/Tiny-Tiny-RS ... 54541eee77 (edit: this is reverted for the time being)

Edit: I looked through htmLawed code and whoever wrote that should not be allowed anywhere near the keyboard. What the fuck. I feel bad for using that in tt-rss.

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Flash content not showing

Postby fox » 19 Mar 2013, 00:13

I digged in allowHtml (http://allowhtml.com/) and it's also bad (although it doesn't look like it has been written by a developmentally disabled baboon, which gives it bonus points over htmLawed, oh god what is this shit), as in not behaving like it should and having zero documentation.

Unfortunately I can't disable sanitizing completely, even for "I'm sure it's safe!" potential feeds, because wrong HTML markup can screw tt-rss layout, which would be bad. I'm not going to try to patch html5 video in htmLawed because the source makes me want to claw my eyes out, so that's out too.

I'm not sold on the plugin sanitization either, because of potential layout breaking issues. Ideas?

Cwiiis
Bear Rating Trainee
Bear Rating Trainee
Posts: 14
Joined: 15 Mar 2013, 14:37

Re: Flash content not showing

Postby Cwiiis » 19 Mar 2013, 01:56

Could you host unsafe mark-up in a new document with an iframe and use the sandbox attribute? https://developer.mozilla.org/en-US/doc ... ent/iframe - seems like omitting allow-same-origin and allow-top-navigation might do what you need?

j0nson
Bear Rating Trainee
Bear Rating Trainee
Posts: 21
Joined: 16 Mar 2013, 04:41

Re: Flash content not showing

Postby j0nson » 19 Mar 2013, 05:20

lotrfan's edit worked for me, I removed iframe from line 22 in lib/htmLawed.php

Other than having to change some css to get the iframe size correct, I haven't seen any bad side effects.

I think having this set per feed in the feed settings would be best, so it can also be a parameter in the API.

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Flash content not showing

Postby fox » 19 Mar 2013, 10:48

I like how I can't assign iframe sandbox attribute because htmLawed with its unreadable hardcoded list of shit just strips it afterwards.

At this point I'm seriously thinking of hacking up something using domdocument instead of this terrible shit of a library and calling it a day.

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Flash content not showing

Postby fox » 19 Mar 2013, 11:15


Cwiiis
Bear Rating Trainee
Bear Rating Trainee
Posts: 14
Joined: 15 Mar 2013, 14:37

Re: Flash content not showing

Postby Cwiiis » 19 Mar 2013, 13:16

fox wrote:https://github.com/gothfox/Tiny-Tiny-RSS/commit/254a3f56a901d94a99a1a425ceecf62e8fd06051
https://github.com/gothfox/Tiny-Tiny-RS ... 2eb833bf71

Comments?


Looks simple, which is good - Probably worth adding b, i, u, em and pre elements? Maybe font too? I realise some of these are basically deprecated, but that never stopped anyone in the past :)

phz
Bear Rating Disaster
Bear Rating Disaster
Posts: 77
Joined: 18 Mar 2013, 18:32

Re: Flash content not showing

Postby phz » 19 Mar 2013, 14:11

The tag whitelist will probably get a lot of requests for additions.

In addition to the ones mentioned in the post above, repeated here:
  • b
  • i
  • u
  • em
  • pre
these would not be unreasonable to add:
  • address
  • big
  • cite
  • code
  • dd
  • del
  • dl
  • dt
  • h1–h6
  • ins
  • kbd
  • q
  • s
  • small
  • strike
  • strong
  • sub
  • sup
  • tbody
  • tfoot
  • thead
  • tt
  • var
…and then we have HTML5 specifics. Not a full list by any means, but these could possibly occur:
  • details
  • footer
  • header
  • nav
  • summary
  • track
  • wbr
Code snippet defining all these tags and the original ones in the allowed elements array:

Code: Select all

    $allowed_elements = array(
      'a',
      'address',
      'audio',
      'b',
      'big',
      'blockquote',
      'body',
      'br',
      'cite',
      'code',
      'dd',
      'del',
      'details',
      'div',
      'dl',
      'dt',
      'em',
      'footer',
      'h1–h6',
      'header',
      'html',
      'i',
      'iframe',
      'img',
      'ins',
      'kbd',
      'li',
      'nav',
      'ol',
      'p',
      'pre',
      'q',
      's',
      'small',
      'source',
      'span',
      'strike',
      'strong',
      'sub',
      'summary',
      'sup',
      'table',
      'tbody',
      'td',
      'tfoot',
      'th',
      'thead',
      'tr',
      'track',
      'tt',
      'u',
      'ul',
      'var',
      'wbr',
      'video'
    );

User avatar
dxbi
Bear Rating Disaster
Bear Rating Disaster
Posts: 62
Joined: 16 Mar 2013, 13:44

Re: Flash content not showing

Postby dxbi » 19 Mar 2013, 14:21



Why would you want to strip the style-Attribute? I just stumbled across a feed with an image styled like this

Code: Select all

<img src="..." style="float: left;">

and at least the current implementation allows that (and should imho).

Cwiiis
Bear Rating Trainee
Bear Rating Trainee
Posts: 14
Joined: 15 Mar 2013, 14:37

Re: Flash content not showing

Postby Cwiiis » 19 Mar 2013, 14:27

dxbi wrote:


Why would you want to strip the style-Attribute? I just stumbled across a feed with an image styled like this

Code: Select all

<img src="..." style="float: left;">

and at least the current implementation allows that (and should imho).


Seems obvious to me. What happens when someone does

Code: Select all

<img src="..." style="position:fixed; width:100%; height:100%; z-index:1000"/>
?

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Flash content not showing

Postby fox » 19 Mar 2013, 14:27

Yep. This could lead to easy layout breaking. I'll add the noted tags, thanks for posting the list.

Edit: I like how I have no idea the hell most of this tags do.

User avatar
dxbi
Bear Rating Disaster
Bear Rating Disaster
Posts: 62
Joined: 16 Mar 2013, 13:44

Re: Flash content not showing

Postby dxbi » 19 Mar 2013, 15:08

Seems obvious to me. What happens when someone does

Code: Select all

<img src="..." style="position:fixed; width:100%; height:100%; z-index:1000"/>
?


You're right, of course. The position attribute seems the only "harmful" to me in that regard from quickly skimming through the list of possible styles. In the interest of not neutering the feeds should we remove the style tag only when a position-attribute is present? I've found some PHP classes that claim to be parsers for CSS but that might be overkill. Maybe a simpler solution would be sufficient (see below)?
I realize that this might seem esoteric to you but I found quite a few of my feeds that would look a look terrible if all the style attributes were stripped.

Code: Select all

$disallowed_attributes = array('id'=>'', 'style'=>'position', 'class'=>'');

if ($entry->hasAttributes()) {
   foreach (iterator_to_array($entry->attributes) as $attr) {

      if (strpos($attr->nodeName, 'on') === 0) {
         $entry->removeAttributeNode($attr);
      }

      if (array_key_exists($attr->nodeName, $disallowed_attributes)) {
         if(!$disallowed_attributes[$attr->nodeName] ||
            stristr($attr->nodeValue, $disallowed_attributes[$attr->nodeName])
               $entry->removeAttributeNode($attr);
      }
   }
}


Return to “Support”

Who is online

Users browsing this forum: No registered users and 10 guests