SanitizeBlogs 2 (Movable Type plugin)

SanitizeBlogs 2 is a variant of the mt-plugin-SanitizeBlogs by Six Apart. While the Six Apart version sanitizes blogs based upon a blog URL prefix (useful for blogs published under the Community Platform), the present variant is more useful for a blog farm where you want all blogs to be sanitized with the ability to refine or prevent the sanitization for selected blogs.

Overview

Specify HTML tags and attributes allowed in entry/page fields based upon system or blog settings.

Functions in a similar manner as, but is distinct from, the GlobalSanitizeSpec configuration directive.

A typical use case of this plugin is to cleanup the tag soup introduced by authors copying texts from Microsoft Word and pasting them in the rich text editor. Newest versions of MS Word will typically introduce invalid HTML code that can break a site layout and CSS styles. Also, and contrary to the MT sanitization default behavior, SanitizeBlogs 2 can allow the use of white-listed javascript events (such as the 'onclick' event generated by the Asset Manager for full-size images popups). You should only use this feature on blogs which authors you trust.

Requirements

  • MT 4.x
  • MT 5.x

Features

  • define list of allowed html tags allowed in the following fields:
    • Title
    • Body
    • Extended
    • Excerpt
    • Keywords
  • specify the list at both system- and blog-level
  • capability to exclude a blog from the sanitization
  • possibility to white-list javascript events (at a blog level only)

Documentation

Allowed Tags and Attributes

List of allowed HTML tags and tag attributes. Allowed Tags should be comma-separated. Allowed tag attributes should be space-separated and listed after the tag which they can be used with.

Restrictive sample value (allows href and class attributes on the a tag):

a href class,b,cite,code class,em,i,img,li,ol,pre,strike,strong,ul

Relaxed sample value that works well for regular blogs to cleanup the MS Word tag soup:

a href target title,b,i,br/,p,strong,em,ul,ol,li,blockquote,pre,img *,div style,object *,param *,embed *

The list can be defined at both system- and blog-level. The system list will be applied by default to all blogs in the system, unless for blogs with their own list or that are specifically excluded from the sanitization. If the system list is empty, then only blogs that have a list defined at their level will be sanitized.

Allowed javascript events (blog-level only)

List of allowed javascript events attributes (i.e. ‘onevent’) for this blog, comma-separated (e.g. onclick,onsubmit,onfocus).Warning: you should understand the security implications of javascript events before allowing them! This works only on Body, Extended and Excerpt fields.

Installation

  1. Download SanitizeBlogs2.
  2. Uncompress and move the SanitizeBlogs2 directory to the MT plugins directory. More in-depth plugin installation instructions.
  3. In the plugin preferences at the system-level enter a list of allowed tags to apply by default to all blogs. Optionnaly, refine this list or exclude specific blogs at the blog-level.

Notes

Installing both variants of the Six Apart SanitizeBlogs and Ubiquitic SanitizeBlogs2 plugins on the same MT installation has not been tested. Their plugin keys are different, so their respective preferences will not clash, however they will act concurrently in an unpredictable order on blogs sanitized by SanitizeBlogs if you define a blog-level list in SanitizeBlogs2. You may want to leave the SanitizeBlogs2 system-level list empty, and define a list on selected blogs.

Ce plugin parle français. ;-)

Version history

  • 1.2.2 (Current): Properly sanitize pages in addition to entries.
  • 1.2.1: Introduces the white-listing of javascript events.

Credits

Authors: Ubiquitic, based on code by Six Apart Ltd.
Copyright: 2010 Ubiquitic, 2009 Six Apart Ltd.
License: Artistic License 2.0

This free software is provided as-is WITHOUT ANY KIND OF GUARANTEE; you can redistribute it and/or modify it under the same terms as Perl itself.

5 Comments

Hi. I have tried every possible combination I can think of to allow onclick = window.open to function while using Sanitize2. But, to no avail. The a tag with asterisk doesn't do it either.

Could you please advise how I can use Sanitize2, a great plugin, and allow my Assetlyene plugin's onclick reference in my Image Insertion for Entries to be retained.

Many thanks.

-David

This plugin makes use of MT::Sanitize, which forcibly removes all javascript events no matter what is configured. However the use case of journalists or trusted bloggers who do copy/paste from MS Word but need to use popups for inserted images is indeed a good one.

I've updated the plugin to allow a white-list of javascript events at blog-level only (it is way too risky IMHO to allow such thing at a global level).

Francois, does that mean it will work then for onclick actions now? What sort of exceptions are allowed?

Thanks,

Frankie

@Frankie: all those you specify yourself in the "Authorized Javascript events" field at the blog level.

Hi Francois,

I installed Sanitize2 at system level, and just to make certain when an early test was letting the tag come through from MS Word, I also configured at website and blog level. I included all the tags following because I wanted to be all-inclusive (except for "span"):

a href class target title,b,blockquote,br/,cite,code class,div,em,i,img *,li,ol,p,pre,strike,strong,ul

But for some reason, "span" is still making it through.

Am I doing something obvious? Config'd in too many places?

Leave a comment

N.B. by commenting here, you accept the comments policy.