commit b7a7e4e7ce70ce25b80576c7a23e01d0f109879a
parent e636bd9c2e8e713ebf594a4859be8bb0b6fae00b
Author: Dan Stillman <dstillman@zotero.org>
Date: Fri, 8 Oct 2010 06:44:33 +0000
Sanitize note markup in TinyMCE
[Uncommented note.html's valid_elements in r7027]
Diffstat:
2 files changed, 44 insertions(+), 2 deletions(-)
diff --git a/chrome/content/zotero/tinymce/note.html b/chrome/content/zotero/tinymce/note.html
@@ -38,7 +38,28 @@
theme_advanced_buttons2 : "formatselect,|,justifyleft,justifycenter,justifyright,|,bullist,numlist,outdent,indent,|,removeformat,code",
theme_advanced_buttons3 : "",
theme_advanced_toolbar_location : "top",
- theme_advanced_toolbar_align : "left"
+ theme_advanced_toolbar_align : "left",
+
+ // More restrictive version of default set, with JS/etc. removed
+ /*valid_elements : "@[id|class|style|title|dir<ltr?rtl|lang|xml::lang],"
+ + "a[rel|rev|charset|hreflang|tabindex|accesskey|type|"
+ + "name|href|target|title|class],strong/b,em/i,strike,u,"
+ + "#p,-ol[type|compact],-ul[type|compact],-li,br,img[longdesc|usemap|"
+ + "src|border|alt=|title|hspace|vspace|width|height|align],-sub,-sup,"
+ + "-blockquote,-table[border=0|cellspacing|cellpadding|width|frame|rules|"
+ + "height|align|summary|bgcolor|background|bordercolor],-tr[rowspan|width|"
+ + "height|align|valign|bgcolor|background|bordercolor],tbody,thead,tfoot,"
+ + "#td[colspan|rowspan|width|height|align|valign|bgcolor|background|bordercolor"
+ + "|scope],#th[colspan|rowspan|width|height|align|valign|scope],caption,-div,"
+ + "-span,-code,-pre,address,-h1,-h2,-h3,-h4,-h5,-h6,hr[size|noshade],-font[face"
+ + "|size|color],dd,dl,dt,cite,abbr,acronym,del[datetime|cite],ins[datetime|cite],"
+ + "param[name|value|_value],"
+ + "map[name],area[shape|coords|href|alt|target],bdo,"
+ + "button,col[align|char|charoff|span|valign|width],colgroup[align|char|charoff|span|"
+ + "valign|width],dfn,fieldset,"
+ + "kbd,label[for],legend,optgroup[label|disabled],option[disabled|label|selected|value],"
+ + "q[cite],samp,select[disabled|multiple|name|size],small,"
+ + "textarea[cols|rows|disabled|name|readonly],tt,var,big"*/
});
tinyMCE.execCommand("mceAddControl", true, "tinymce");
</script>
diff --git a/chrome/content/zotero/tinymce/noteview.html b/chrome/content/zotero/tinymce/noteview.html
@@ -30,7 +30,28 @@ table.mceLayout > tbody > tr.mceLast {
theme_advanced_buttons2 : "",
theme_advanced_buttons3 : "",
theme_advanced_toolbar_location : "top",
- theme_advanced_toolbar_align : "left"
+ theme_advanced_toolbar_align : "left",
+
+ // More restrictive version of default set, with JS/etc. removed
+ valid_elements : "@[id|class|style|title|dir<ltr?rtl|lang|xml::lang],"
+ + "a[rel|rev|charset|hreflang|tabindex|accesskey|type|"
+ + "name|href|target|title|class],strong/b,em/i,strike,u,"
+ + "#p,-ol[type|compact],-ul[type|compact],-li,br,img[longdesc|usemap|"
+ + "src|border|alt=|title|hspace|vspace|width|height|align],-sub,-sup,"
+ + "-blockquote,-table[border=0|cellspacing|cellpadding|width|frame|rules|"
+ + "height|align|summary|bgcolor|background|bordercolor],-tr[rowspan|width|"
+ + "height|align|valign|bgcolor|background|bordercolor],tbody,thead,tfoot,"
+ + "#td[colspan|rowspan|width|height|align|valign|bgcolor|background|bordercolor"
+ + "|scope],#th[colspan|rowspan|width|height|align|valign|scope],caption,-div,"
+ + "-span,-code,-pre,address,-h1,-h2,-h3,-h4,-h5,-h6,hr[size|noshade],-font[face"
+ + "|size|color],dd,dl,dt,cite,abbr,acronym,del[datetime|cite],ins[datetime|cite],"
+ + "param[name|value|_value],"
+ + "map[name],area[shape|coords|href|alt|target],bdo,"
+ + "button,col[align|char|charoff|span|valign|width],colgroup[align|char|charoff|span|"
+ + "valign|width],dfn,fieldset,"
+ + "kbd,label[for],legend,optgroup[label|disabled],option[disabled|label|selected|value],"
+ + "q[cite],samp,select[disabled|multiple|name|size],small,"
+ + "textarea[cols|rows|disabled|name|readonly],tt,var,big"
});
tinyMCE.execCommand("mceAddControl", true, "tinymce");
</script>
