Is posted HTML content sanitized? What file is doing it?

Question

Which php file retrieves the posted content?

In my case, I want to see how the content is sanitized and modified.

My goal: I like to remove stuff from HTML that is posted. E.g. style tags such as "line-height" that get into the question/answer when copied from another site.

For now, I am using regex in the ckeditor's javascript to remove some of the style attributes, and yes, you should not do that (thousand times said on stackoverflow...)

 

Comments

Follow up: http://question2answer.org/qa/17798/has-somebody-used-htmllawed-to-clean-user-input-in-q2a

Answer 1

In qa-base.php I found  function qa_sanitize_html that "returns $html after ensuring it is safe, i.e. removing Javascripts and the like - uses htmLawed library"
 

---

just a test post to add some html + js code, hope it gets cleaned by q2a. I copied the html directly:

... to the left is html with the class qa-waiting
new line:
 

red background with pseudo class

now comes a javascript alert:
that's it for now!

---

source from above:

<SPAN ID="qa-waiting-template" CLASS="qa-waiting">...</SPAN> to the left is html with the class qa-waiting
<br >new line:<br /><br />
<p class="" style="background-color:#FFAAAA">red background with pseudo class</p>
<br />
now comes a javascript alert:
<script type="text/javascript">alert("javascript injection")</script>
<br />
that's it for now!