I thought I share my changes to make html posts in q2a more secure by stricter sanitizing the data.
In qa-include/qa-base.php from line 705 you find the config for html sanitization:
$safe=htmLawed($html, array(
'safe' => 1,
'elements' => '*+embed+object',
'schemes' => 'href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; *:file, http, https; style: !; classid:clsid',
'keep_bad' => 0,
'anti_link_spam' => array('/.*/', ''),
'hook_tag' => 'qa_sanitize_html_hook_tag',
));
This allows 86 html elements, see doc here.
@gidgreen: why do you actually add +embed+object to the list, they are already included.
My new strict version is the following:
$safe=htmLawed($html, array(
'safe' => 1,
// only allow the following html tags
'elements' => 'img, a, p, br, span, b, strong, i, em, u, sub, sup, strike, table, caption, tbody, tr, td',
// only allow ftp, http, https in anchors - no need for classid's attr clsid
'schemes' => 'href: ftp, http, https; *:file, http, https; style: !',
'keep_bad' => 0,
'anti_link_spam' => array('/.*/', ''),
'hook_tag' => 'qa_sanitize_html_hook_tag',
// do not allow class and id, they get removed
'deny_attribute' => 'class, id',
));
Note: My CKEditor is quite reduced in functionality (less buttons), so this code might not suit you. However, I thought one or the other could use it.
Helpful:
1. Configuring htmLawed using the $config parameter
2. How to modify qa-htmLawed.php to better sanitize/clean html posts
