To prevent cross-site scripting, Sputnik defaults to aggressive filtering of any HTML produced from the content of the node. This happens, in particular, to any nodes where the users enters text using Markdown. The content is filtered after it is passed through Markdown, so the same rules apply for example to:
[oops](javascript:alert('oops'))
as to
<a href="javascript:alert('oops')">oops</a>
The filtering is done using XSSFilter module and is pessimistic, meaning that we only accept what is known to be safe rather than looking for what's potentially dangerous. (The reason is that we don't know the full list of possible XSS attacks. There are a lot of them.)
To pass, HTML must first parse as valid XHTML. If we can't parse it, we assume it's bad. Second, we only allow tags and attributes that we recognize. And the attribute values can then also be filtered.
You can relax the filter by editing xssfilter_allowed_tags
field either for specific nodes or for @Root. E.g., to allow "javascript:" in links (but please don't!!!), you could add this to xssfilter_allowed_tags
:
a = {
href = {"^http://", "^https://", "^ftp://", "^/", "#", "^mailto:"}
}
(Again, this wouldn't be a good idea. But you could.)
Or, to include Youtube videos, you would want to add:
object = {
width=".", height="."
}
param = {
name=".", value="."
}
embed = {
src="^http://www.youtube.com/",
type="^application/x-shockwave-flash",
allowscriptaccess=".", allowfullscreen=".",
width=".", height="."
}
to xssfilter_allowed_tags
.
To disable XSS filtering altogether, you would add "DISABLEXSSFILTER = true" to your sputnik.ws or sputnik.cgi file. Please don't do this unless you trust everyone who will have write access.