Unusual problem with SafeCracker (seems a bug)
Development and Programming
Hello guys! I really need your advise because this problem blows my mind!
Actually case is very simple - I need to save a snippet of HTML via SafeCracker form to specific channel (“Allow ALL HTML” is enabled).
The problem is that this HTML snippet is saving but with strange transformations. Some attributes presented in this HTML are cutting down.
For example, if I post something like this:
<div class="some" data-ic data-positi data-other="some other">" alt=</div>after saving I’ve got this:
<div class="some" data-ic data-positi data-other="some other">" alt=</div>Seems, that somehow EE is cutting down attributes which names have “on” word. Interesting moment that if I post it via CP everything OK.
Is this some SafeCracker filter or something? Have you any ideas?
Oh, that is crap))) Sorry for this word….
If you check my previous post, you’ll see that EE Forum engine also cut down attributes that I’m talking about, because first code snippet had data-icon=”start” and data-position=”100” attributes which became to data-ic and data-positi
Anyone can tell me what’s going on here?
I’m very disappointed because of 96 views but 0 answers. Whatever…
I resolved it myself. So, the core of this problem in CodeIgniter Security class (CI_Security). More specifically in _remove_evil_attributes() method of this class. Here we have a regular expression which was declared to removing “javascript event handlers (e.g. onload, onclick, onmouseover)”, but it not so.
$evil_attributes = array('on\w*', 'style', 'xmlns', 'formaction');Actually, this regular expression contains also all attributes with ‘on’ word in it. So, will be deleted not only something like onclick=”foo();return;” but also something like data-icon=”star” .
I believe that it’s incorrect regular expression and the problem can be specified as a bug.