KnowageLabs/Knowage-Server

HTML Tags prevent saving a document

PeterHeldmannOdisys opened this issue · 2 comments

PeterHeldmannOdisys commented

Describe the bug
For Versions after Version 7.4.21:
When using HTML or Custom Chart Widgets, many HTML Tags are now forbidden and prevent saving the document in edit mode. Previously created Documents are still loading and working as expected, but trying to edit is not possible. This prevents us from updating to newer Versions.
After analysing Version 8.0.18, the following Tags (that we use) are removed/ forbidden:

  • <legend> tags are forbidden
  • <kn-import> and "src" attribute on <kn-import> is forbidden
  • "name" and "checked" attribute on <input> tag is forbidden
  • in "style" attribute: "cursor:pointer" and "flex: 1" are forbidden (can be bypassed when using "General Settings" > "CSS Editor")
  • "name" attribute on <label> is forbidden
  • empty (no attributes) <a> tag is forbidden
  • "href" attribute on <a> or <div> is forbidden (href-link is in resources/whitelist)
  • "target" and "rel" attributes (for <a> or <div> as examples) are forbidden

To Reproduce
Steps to reproduce the behavior:

  1. Create HTML or Custom Chart Widget (in edit mode)
  2. Use any of the provided (forbidden) tags
  3. try to save the document

Expected behavior
The document should save and not show any errors.

Screenshots
screenshot_49

Desktop (please complete the following information):

  • OS: Knowage Server 8.0.18 on Linux
  • Browser: chrome
  • Version 8.0.18

Additional context
Relevant Question on Knowage Q&A:
https://www.knowage-suite.com/qa/6912/html-tags-not-working

PeterHeldmannOdisys commented

@Redjaw
Dear Redjaw,
you already answered my question on the Knowage Q&A.
Thanks again for the fix!
However, there are multiple other issues regarding the HTML-Tags, which prevents us from updating to newer Versions (as stated above).
Could you please look into those as well?
Thank you!

Redjaw commented

@PeterHeldmannOdisys
Thank you very much for the feedbacks.
We updated all the branches where we are using the sanitizer with the tags you provided, those have been analyzed and none of them was dangerous in any way.
cc65a5a613024d17239754eea90ee5495bc3f20e

Thank you and regards!