Link inside article abstract not working

Tarcisio_Pereira · July 13, 2016, 2:15pm

Hi,

I’m using OJS 2.4.8.0 with postgresql.
When I have some article with a link inside the abstract field or some embed video, it work’s inside tiny_mce.
But in in the article page it’s not working.
A link like:
<a href="https://vimeo.com/147721141">A Musicológica Kamayurá - Entrevista com Rafael José de Menezes Bastos</a>
Goes to:
<a>A Musicológica Kamayurá - Entrevista com Rafael José de Menezes Bastos</a>
No errors in apache log.

Artcile link:
http://www.revistas.usp.br/gis/article/view/116383

Screenshots:

Maybe is postgresql using ’ or " the problem?

Best regards,
Tarcisio Pereira

cjuergen · July 13, 2016, 3:16pm

Hi Tarcisio,

I don’t think postgresql is the problem. We installed OJS 2.4.8 with Postgres this week and links in articles do work fine either created by editing the html or using the TinyMCE Editor. I haven’t tried embedding a video yet.
Maybe you entered something wrong using the TinyMCE.

You can check this by logging in as editor for the journal and view the archived submission. In summary there is the possibility to edit the metadata. Click on HTML in the bottom of the abstract window and view the source.
Here is the source of my Test Artcle with links in the abstract
`

This is an abstract test with link added by editing the html

Test Link

This is a test link generated via Tiny

A Musicológica Kamayurá - Entrevista com Rafael José de Menezes Bastos

`

Hope this helps
Claudia Jürgen

Tarcisio_Pereira · July 13, 2016, 4:46pm

Hi @cjuergen

As we can see in the first image, it works when I’m editing metadata. But, when I see it in the article, it do not works. If I entered something wrong using the TinyMCE, it should not work when I edit the abstract, I guess.
I double checked the link editing html and it’s ok.

I’m thinking that the OJS makes some treatment in the database field before placing it on the screen.
Inside database the field is ok too.

I’ve copied and pasted yours code lines, it not works too.

Best regards,
Tarcisio Pereira.

cjuergen · July 14, 2016, 8:28am

Hi @Tarcisio_Pereira,

I’m new to OJS and know nothing about PHP, but there is some stripping done to remove unsafe html in

github.com

pkp/ojs/blob/ojs-stable-2_4_8/templates/article/article.tpl#L53


		</div>
	{/if}
	{call_hook name="Templates::Article::Article::ArticleCoverImage"}
	<div id="articleTitle"><h3>{$article->getLocalizedTitle()|strip_unsafe_html}</h3></div>
	<div id="authorString"><em>{$article->getAuthorString()|escape}</em></div>
	<br />
	{if $article->getLocalizedAbstract()}
		<div id="articleAbstract">
		<h4>{translate key="article.abstract"}</h4>
		<br />
		<div>{$article->getLocalizedAbstract()|strip_unsafe_html|nl2br}</div>
		<br />
		</div>
	{/if}

	{if $article->getLocalizedSubject()}
		<div id="articleSubject">
		<h4>{translate key="article.subject"}</h4>
		<br />
		<div>{$article->getLocalizedSubject()|escape}</div>
		<br />

Based on

github.com

pkp/ojs/blob/ojs-stable-2_4_8/config.TEMPLATE.inc.php#L260


salt = "YouMustSetASecretKeyHere!!"

; The number of seconds before a password reset hash expires (defaults to 7200 / 2 hours)
reset_seconds = 7200

; Allowed HTML tags for fields that permit restricted HTML.
; For PHP 5.0.5 and greater, allowed attributes must be specified individually
; e.g. <img src|alt> to allow "src" and "alt" attributes. Unspecified
; attributes will be stripped. For PHP below 5.0.5 attributes may not be
; specified in this way.
allowed_html = "<a href|target> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <b> <i> <u> <img src|alt> <sup> <sub> <br> <p>"

; Prevent VIM from attempting to highlight the rest of the config file
; with unclosed tags:
; </p></sub></sup></u></i></b></dd></dt></dl></li></ol></ul></code></cite></strong></em></a>


; Configure whether implicit authentication (request headers) is used.
; Valid values are: On, Off, Optional
; If On or Optional, request headers are consulted for account metadata so
; ensure that users cannot spoof headers. If Optional, users may use either

The <iframe> with it’s attributes is not in this set. Have you tried in a test article just a simple link?

Hope this helps

Claudia Jürgen

ctgraham · July 14, 2016, 11:51am

I strongly suspect the a tag is missing the href attribute in the allowed_html of config.inc.php.

Tarcisio_Pereira · July 14, 2016, 12:23pm

Hi @cjuergen and @ctgraham

The tag was missing href attribute in the allowed_html of config.inc.php.
I changed to:
<a href|target> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <img> <iframe src>"
Href is ok.
But target attribute and iframe tag do not work.
I’m I doing something wrong?

Best regards,
Tarcisio Pereira

ctgraham · July 14, 2016, 12:29pm

This thread offers more insight to the removal of the a tag’s target and may be relevant to the iframe tag as well.

Tarcisio_Pereira · July 14, 2016, 1:14pm

@ctgraham @cjuergen

Here is my solution:

config.inc.php
254 ; Allowed HTML tags for fields that permit restricted HTML. 255 allowed_html = "<a href|target> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <img> <iframe src|frameborder|width|height>" 256 257 ; Prevent VIM from attempting to highlight the rest of the config file 258 ; with unclosed tags: 259 ;</iframe></dd></dt></dl></li></ol></ul></code></cite></a>

lib/pkp/classes/core/String.inc.php
436 function stripUnsafeHtml($input) { 437 // If possible, use the HTML purifier. 438 if (defined('USE_HTML_PURIFIER')) { 439 require_once('lib/pkp/lib/htmlpurifier/library/HTMLPurifier.path.php'); 440 require_once('HTMLPurifier.includes.php'); 441 static $purifier; 442 if (!isset($purifier)) { 443 $config = HTMLPurifier_Config::createDefault(); 444 $config->set('Core.Encoding', Config::getVar('i18n', 'client_charset')); 445 $config->set('HTML.Doctype', 'XHTML 1.0 Transitional'); 446 // Transform the old allowed_html setting into 447 // a form HTMLPurifier can use. 448 $config->set('HTML.Allowed', preg_replace( 449 '/<(\w+)[ ]?([^>]*)>[ ]?/', 450 '${1}[${2}],', 451 Config::getVar('security', 'allowed_html', DEFAULT_ALLOWED_HTML) 452 )); 453 $config->set('Cache.SerializerPath', 'cache'); 454 $config->set('HTML.TargetBlank', true); 455 $config->set('HTML.SafeIframe', true); 456 $config->set('URI.SafeIframeRegexp', '%^(https?:)?//(www\.youtube(?:-nocookie)?\.com/embed/|player\.vimeo\.com/video/)%'); //allow YouTube and Vimeo 457 $purifier = new HTMLPurifier($config); 458 } 459 return $purifier->purify($input); 460 }

Thank you,
Tarcisio Pereira