Important

You are browsing the documentation for version 4.1 of OroCommerce, OroCRM and OroPlatform, which is no longer maintained. Read version 5.1 (the latest LTS version) of the Oro documentation to get up-to-date information.

See our Release Process documentation for more information on the currently supported and upcoming releases.

WYSIWYG Field Validation

OroPlatform uses HTML Purifier (a standards-compliant HTML filter library) to prevent XSS attacks. By default HTML Purifier is configured extremely strictly - only the allowed elements and attributes are permitted in WYSIWYG fields. This ensures that the content displayed on UI is always safe and secure, and the no users can embed unsecure markup in WYSIWYG fields. However, sometimes it may be necessary to allow some potentially insecure elements or attributes, for example, iframes - to embed videos or other media content from 3-rd party websites, Bootstrap framework elements or attributes - to utilize Bootstrap’s capabilities, etc. If your organization security policy allows some or all users to edit and publish such potentially unsecure content, you may extend the default HTML Purifier configuration for WYSIWYG fields.

Note

This configuration affects only the WYSIWYG field type. The OroRichTextType (with TinyMCE editor) fields always use the strict purifier rules.

HTML Purifier Modes

Out of the box, there are two HTML Purifier modes available:

``default`` - it has only secure elements and attributes and is used in common cases; ``lax`` - this mode extends default mode and includes additional allowed HTML elements and attributes.

Content Restrictions Modes

Which of the HTML Purifier modes is applied to WYSIWYG fields depends on the content_restrictions mode configuration.

There are three modes with different secure levels:

secure - on the secure level, there is no way to insert any potentially insecure content via UI by any users

selective - on the less secure level, some roles can insert the potentially insecure content via UI into specific fields of specific entities (even if a user has the edit permissions for the certain entity field, they should not be able to insert insecure content unless they also have one of the roles that are configured to allow this, and the specified entity field is in the list of the allowed entity fields).

unsecure - on this level, any content can be inserted via UI by any user with the edit permissions on the WYSIWYG field.

Out-of-the-box, this option is set to strict.

Validation

Validator for WYSIWYG fields validates the content based on the content restrictions mode configuration by comparing the submitted content (before purification) to the content after purification. If submitted and purified versions do not match, a validation error will appear and the user will not be allowed to save the data.

Customization

Creating Custom HTML Purifier Modes

You can create your own HTML Purifier mode using the inheritance hierarchy:

 1oro_form:
 2    html_purifier_modes:
 3        additional:
 4            extends: default
 5            allowed_html_elements:
 6                div: ~
 7                iframe:
 8                    attributes:
 9                        - src
10            allowed_iframe_domains:
11                - 'maps.google.com'
12
13        extra:
14            extends: additional
15            allowed_html_elements:
16                img:
17                    hasClosingTag: false
18            allowed_iframe_domains:
19                - 'example.com'

The extends key allows to reuse the existing config from the extended scope that will be merged with your configuration.

Creating Custom Content Restrictions

The addScopeMapping method of the oro_cms.provider.html_purifier_scope_provider service provides the possibility to connect the HTML Purifier mode with content restrictions modes. The oro_cms.provider.html_purifier_scope_provide class enables to get an appropriate scope based on the entity and entity field names taking into account current user roles. To connect your custom HTML Purifier mode with the content restrictions mode, you should configure the container to call addScopeMapping.

1services:
2    acme_wysiwyg_validation.provider.html_purifier_scope_provider:
3        decorates: oro_cms.provider.html_purifier_scope_provider
4        parent: oro_cms.provider.html_purifier_scope_provider
5        calls:
6            - [addScopeMapping, ['content_restrictions_additional', 'additional']]
7            - [addScopeMapping, ['content_restrictions_extra', 'extra']]

To be able to use the content_restrictions_additional and content_restrictions_extra modes in configuration, you should add this mode to the oro_cms extension.

 1<?php
 2
 3namespace ACME\Bundle\WysiwygValidationBundle;
 4
 5use Oro\Bundle\CMSBundle\DependencyInjection\OroCMSExtension;
 6use Symfony\Component\DependencyInjection\ContainerBuilder;
 7use Symfony\Component\HttpKernel\Bundle\Bundle;
 8
 9/**
10 * The WysiwygValidationBundle bundle class.
11 */
12class ACMEWysiwygValidationBundle extends Bundle
13{
14    /**
15     * {@inheritDoc}
16     */
17    public function build(ContainerBuilder $container)
18    {
19        /** @var OroCMSExtension $extension */
20        $extension = $container->getExtension('oro_cms');
21        $extension->addContentRestrictionMode('content_restrictions_additional');
22        $extension->addContentRestrictionMode('content_restrictions_extra');
23    }
24}

After this, you can use the content_restrictions_additional or content_restrictions_extra mode in the content restrictions configuration.

1oro_cms:
2    content_restrictions:
3        mode: content_restrictions_extra
4        lax_restrictions:
5            ROLE_ADMINISTRATOR:
6                Oro\Bundle\CMSBundle\Entity\Page: ['content']

The lax_restrictions key in configuration is used to limit the usage of the HTML Purifier mode. It specifies the user role, entity, and entity field to which your HTML Purifier mode will be applied. For example, the above mentioned user with the ROLE_ADMINISTRATOR role can use example.com for iframe domain when editing the Landing Page content field. At the same time, this user is not allowed to use this iframe domain in other WYSIWYG fields.