Links and strip_unsafe_html

primozs · December 19, 2016, 11:23am

Dear,

I would like to get href link working in an article abstract, but it doesn’t work. As far as I understand the cause for that is the “strip_unsafe_html” that is used in the statement:

    <div>{$article->getLocalizedAbstract()|strip_unsafe_html|nl2br}</div>

If I remove it, the link works. Can you please explain to me what is the purpose of the “strip_unsafe_html”?

Further on I have read the PKP forum and verified the PHP “allowed_html” variable:

in the config.php.ini and in php.ini it is set and includes href
but if I verify variables in OJS using System information" and “Extended PHP Information” that variable is not listed there.

Regards, Primož

ctgraham · December 19, 2016, 1:58pm

The Smarty modifier strip_unsafe_html calls String::stripUnsafeHtml, which uses HTMLPurifier according to the ‘allowed_html’ rules in config.inc.php. The configuration set in config.inc.php won’t show up in the “Extended PHP Information”. The config.inc.php configuration is the application configuration, and “Extended PHP Information” is phpinfo(), the PHP configuration.

What exactly is your “alllowed_html” line, and what version of OJS are you using?

primozs · December 19, 2016, 4:08pm

Hi @ctgraham,

thank you for really quick answer. Currently I am using OJS 2.4.4.-1 on Windows, but I have noticed same behavior on some other versions as well.

The allowed_html is like <a href|target> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <img src|alt> 

Any idea how to solve this?

Regards, Primož

ctgraham · December 19, 2016, 4:15pm

That seems like it ought to work. The allowed_html line in config.inc.php is not “commented out” with a semicolon in front of it, correct?

What does your link look like as it is stored in the database? (See database table article_settings.setting_value for the setting_name of “abstract”.)

What does your link look like when it is presented in HTML? (The browser’s HTML inspector will help here.)

primozs · December 19, 2016, 4:40pm

Hi @ctgraham,

The allowed_html is not commented out.

The link in the DB looks like:
'2', 'sl_SI', 'abstract', '<a href=\"http://www.google.com\">Povzetek</a>', 'string'

The HTML code of the link (using HTML editor in OJS) looks like:
<a href="http://www.google.com">Povzetek</a>

As far as I understand everything looks OK

Any idea?

Regards, Primož

ctgraham · December 19, 2016, 5:01pm

What is the HTML result in the final display? That is, what part is stripped?

primozs · December 20, 2016, 12:05pm

Hi @ctgraham,

I am really confused now: It works!

What I did was cleaning the cache and restarting the Apache server, after that the HTML code continued the link and it works. Verified several time.

Sorry for this and thank you very much for help.

Regards, Primož