Skip to content

Latest commit

 

History

History
82 lines (48 loc) · 4.55 KB

README.md

File metadata and controls

82 lines (48 loc) · 4.55 KB

SanitizeBlogs 2 is a variant of the mt-plugin-SanitizeBlogs by Six Apart. While the Six Apart version sanitizes blogs based upon a blog URL prefix (useful for blogs published under the Community Platform), the present variant is more useful for a blog farm where you want all blogs to be sanitized with the ability to refine or prevent the sanitization for selected blogs.

Overview

Specify HTML tags and attributes allowed in entry/page fields based upon system or blog settings.

Functions in a similar manner as, but is distinct from, the GlobalSanitizeSpec configuration directive.

A typical use case of this plugin is to cleanup the tag soup introduced by authors copying texts from Microsoft Word and pasting them in the rich text editor. Newest versions of MS Word will typically introduce invalid HTML code that can break a site layout and CSS styles. Also, and contrary to the MT sanitization default behavior, SanitizeBlogs 2 can allow the use of white-listed javascript events (such as the 'onclick' event generated by the Asset Manager for full-size images popups). You should only use this feature on blogs which authors you trust.

Requirements

  • MT 4.x
  • MT 5.x
  • Melody 1.x

Features

  • define list of allowed html tags allowed in the following fields:
    • Title
    • Body
    • Extended
    • Excerpt
    • Keywords
  • specify the list at both system- and blog-level
  • capability to exclude a blog from the sanitization
  • possibility to white-list javascript events (at a blog level only)

Documentation

Allowed Tags and Attributes

List of allowed HTML tags and tag attributes. Allowed Tags should be comma-separated. Allowed tag attributes should be space-separated and listed after the tag which they can be used with.

Restrictive sample value (allows href and class attributes on the a tag):

a href class,b,cite,code class,em,i,img,li,ol,pre,strike,strong,ul

Relaxed sample value that works well for regular blogs to cleanup the MS Word tag soup:

a href target title,b,i,br/,p,strong,em,ul,ol,li,blockquote,pre,img *,div style,object *,param *,embed *

The list can be defined at both system- and blog-level. The system list will be applied by default to all blogs in the system, unless for blogs with their own list or that are specifically excluded from the sanitization. If the system list is empty, then only blogs that have a list defined at their level will be sanitized.

Allowed javascript events (blog-level only)

List of allowed javascript events attributes (i.e. ‘onevent’) for this blog, comma-separated (e.g. onclick,onsubmit,onfocus).
Warning: you should understand the security implications of javascript events before allowing them! This works only on Body, Extended and Excerpt fields.

Installation

  1. Download SanitizeBlogs2.
  2. Uncompress and move the SanitizeBlogs2 directory to the MT plugins directory. More in-depth plugin installation instructions.
  3. In the plugin preferences at the system-level enter a list of allowed tags to apply by default to all blogs. Optionnaly, refine this list or exclude specific blogs at the blog-level.

Notes

Installing both variants of the Six Apart SanitizeBlogs and Ubiquitic SanitizeBlogs2 plugins on the same MT installation has not been tested. Their plugin keys are different, so their respective preferences will not clash, however they will act concurrently in an unpredictable order on blogs sanitized by SanitizeBlogs if you define a blog-level list in SanitizeBlogs2. You may want to leave the SanitizeBlogs2 system-level list empty, and define a list on selected blogs.

Ce plugin parle français. ;-)

Version history

  • 1.2.2 (Current): Properly sanitize pages in addition to entries.
  • 1.2.1: Introduces the white-listing of javascript events.

Credits

Authors: Ubiquitic, based on code by Six Apart Ltd.
Copyright: 2010 Ubiquitic, 2009 Six Apart Ltd.
License: Artistic License 2.0

This free software is provided as-is WITHOUT ANY KIND OF GUARANTEE; you can redistribute it and/or modify it under the same terms as Perl itself.