Apply Profanity Filter to HTML

[The Dark Wizard]

Hi,

I would like the ability to let the profanity filter scrub HTML if a user can post it because their group has the permission. We could easily start banning things like meta redirects and other such to let more and more users use HTML and blacklist bad stuff.

[Daddy]

Allowing users to post with HTML is never good and despite any level of moderation will be abused. I recommend against it as HTML can allow malicious users to redirect, backdoor and overall ruin the reputation of your community.

[Charles]

Profanity is the least if your worries if you are allowing people to post raw HTML  

[The Dark Wizard]

4 hours ago, Charles said:

Profanity is the least if your worries if you are allowing people to post raw HTML  

I want to use it not for profanity but to black list tags and anything else I want.

I am actually allowing users to use HTML at a certain amount of posts. Other big sites have tried it to great success and formatting is a crucial part for my type of community. We have staff with browser addons and such that makes it so that they can't be for example redirected away so they can edit out and remove any nasty stuff. 

Though tight policing, instant account termination if abused and a large staff are making it a success.

But again the filter was not actually for profanity in HTML. I wanted to be cute and use it to censor HTML I don't want to see. Like the meta timer redirect.

 

 

[ptprog]

10 hours ago, Charles said:

Profanity is the least if your worries if you are allowing people to post raw HTML  

As far as I know, you just need to disable Javascript to be able to use raw HTML in certain areas (using the browser developer tools is another option).  So, even here you allow us to post raw HTML.

I still don't understand why we can't have a "source" button in the editor that allows users to use raw HTML without compromising security.

[Charles]

We certainly do not allow you to post raw HTML here

[ptprog]

20 hours ago, Charles said:

We certainly do not allow you to post raw HTML here

I just did it here: https://invisionpower.com/forums/topic/417428-html/?do=findComment&comment=2654347 (You can see that I used the HTML tag "code", which is not available through the editor.)

This example is even more interesting: https://invisionpower.com/forums/topic/417428-html/?do=findComment&comment=2654348 (In this case I was able to use custom formatting through the "style" attribute.)

 

[Colonel_mortis]

If you just insert custom content into the editor, by pasting it from elsewhere or using the dev tools, then there is no way for them to stop you from submitting it (and I have on occasions used that to add formatting that isn't available in the UI, such as a monospace font, to my posts here). However, as much as I like the idea of users being able to edit the HTML themselves (and it is something that has been proposed by my users a few times), I don't think it would work because the post is (and very definitely must be) parsed by HTMLPurifier to strip malicious content. HTMLPurifier is quite an aggressive filtering system though, and will not only block malicious content, but also some variants of legitimate content. This means that it wouldn't be a consistent experience for users, and there would be lots of bugs reported about it. I personally think it works better to allow people to modify their post using the dev tools if they want, because that way it's clear that it's not properly supported, so the things that don't work about it, and have to not work about it, will not be considered bugs, just quirks.

[Charles]

15 hours ago, ptprog said:

I just did it here: https://invisionpower.com/forums/topic/417428-html/?do=findComment&comment=2654347 (You can see that I used the HTML tag "code", which is not available through the editor.)

This example is even more interesting: https://invisionpower.com/forums/topic/417428-html/?do=findComment&comment=2654348 (In this case I was able to use custom formatting through the "style" attribute.)

 

Yes that's all fine as @Colonel_mortis pointed out things are stripped. If you were to try to input things like JavaScript and such it would strip it out.

[ptprog]

3 hours ago, Charles said:

Yes that's all fine as @Colonel_mortis pointed out things are stripped. If you were to try to input things like JavaScript and such it would strip it out.

That's precisely my point.  If you can already filter HTML to make it safe, why cannot we have a safe "Source" button in the editor that we can enable to all users?

I agree that we also need a source button for admins that lets them use any HTML (which we already have).  However, it would be useful if that button had a "safe" variant, which would enable the HTML filter, the profanity filter (as @The Dark Wizard requested), the URL filter, etc.

You say "profanity is the least if your worries if you are allowing people to post raw HTML", but the other "worries" can also be solved.  (And you are already solving them except when the "Source" button is available.)