Automattic/republication-tracker-tool

unescaped javascript as HTML in $content prevents textarea from rendering $content in modal

Opened this issue · 5 comments

benlk commented

@joshdarby reports that giving that textarea a name also allows that HTML to display.

joshdarby commented

Also the HTML of the shareable content on this article contains JS:

<script type="text/javascript">                    var divElement = document.getElementById('viz1566595034394');                    var vizElement = divElement.getElementsByTagName('object')[0];                    if ( divElement.offsetWidth > 800 ) { vizElement.style.width='100%';vizElement.style.height=(divElement.offsetWidth*0.75)+'px';} else if ( divElement.offsetWidth > 500 ) { vizElement.style.width='100%';vizElement.style.height=(divElement.offsetWidth*0.75)+'px';} else { vizElement.style.width='100%';vizElement.style.height='727px';}                     var scriptElement = document.createElement('script');                    scriptElement.src = 'https://public.tableau.com/javascripts/api/viz_v1.js';                    vizElement.parentNode.insertBefore(scriptElement, vizElement);                </script>
benlk commented

This does not work:

/**
* Remove script elements from the shareable content
*
* @return Array $allowed_tags_excerpt The array of tags to allow in the shareable content
**/
function remove_elements_from_shareable_content( $allowed_tags_excerpt, $post ){

   unset( $allowed_tags_excerpt['script'];

   return $allowed_tags_excerpt;

}
add_filter( 'republication_tracker_tool_allowed_tags_excerpt', 'remove_elements_from_shareable_content', 10, 2 );

It removes the <script> and </script> tags, but not the content within them.

So next options are:

  • escape the HTML before outputting it inside the textarea. (try this first)
  • DOMDocument to remove script tags
benlk commented

Trivia note: This is "the tableau issue"

  • 😄1