ugprade steps are here
HTMLFilter PRs and upgradesteps are merged ... should be fixed in 5.1.7/5.2.2 ! @mauritsvanrees when are the next releases planned?
@petschki as announced by Maurits in the topic Policy: Plone supported versions , He is unavailable until (early?) June. Releases will have to wait if he has to make them.
I had a discussion with a Plone webmaster who manages sites where editors tend to 'overdo' their raw html editing skills.
Enabling the style attribute in Plone 5.X opens a can of worms compared to Plone 4. The HTML filter in Plone 4 has an extra tab 'style' in the control panel where the values of the styles attribute can be limited.
That filter-tab is no longer present in Plone 5. iirc the html filter module was rewritten in Plone 5 to use lxml natively. Apparently this was never ported/re-implemented.
I'm all for fixing the styling issues with TinyMCE, but I'm not sure if re-activating the styles attribute by default without the possibility to filter on attribute values in a Plone point release (5.2.2) is wise.
Good point.
My guess is that there are more people who benefit from having a TinyMCE with more functioning buttons, than there are people who are annoyed by not having all styles removed.
Workaround for the second group, is to remove style from the custom attributes in those sites after upgrading.
If we would want to re-add the whitelist of permitted style properties, here are some notes:
- The Plone safe html filter calls the
Cleanerclass fromlxml. - This
Cleaneralready removes the most dangerous styling, from a security point of view. - After returning from the Cleaner call, we could do something similar to what the Cleaner does with inline styles: find the styled elements, get their style attribute, which is just text, and clean it up.
- Cleaning it up is probably: split by semicolon, split by colon into key/value, throw the key/value away unless the key is in the whitelist, set the changed style on the element.
- The whitelist would be a new part of the
IFilterSchema.
Then again, the SafeHTML transform has this remark in the doc string:
We only want security related filtering here, all the rest has to be done in TinyMCE & co.
The remark is from this commit three years ago
I don't know how we would do such style whitelisting in TinyMCE.
But then: if you disable the code tool from the TinyMCE toolbar, this may be enough.
(Bonus points if you can somehow enable the source code tool only for Site Administrators, or maybe make it read-only.)
I did some more checking and discovering this week and got some valuable feedback from my webmaster customer/contact. It's straight forward to change the definitions for alignment in TinyMCE.
Tiny even does this in the example they have online in the documentation for custom formats at https://www.tiny.cloud/docs/demo/format-custom/
{"alignleft": {
"classes": "text-left", "block": "p"},
"aligncenter": {
"classes": "text-center", "block": "p"},
"alignright": {
"classes": "text-right", "block": "p"}
}
alignleft is a built-in definition to which the TinyMCE formatting menu, buttons etc. refer by name. If you override it like above, Tiny will use the class and not fill the style attribute.
The css-classes used are 1:1 matching bootstrap 3-4 classes for alignment. With the current efforts for Plone 6 to modernize Barceloneta to a new 'bootstrap 4 classes only' theme , this is isomething that can also be taken into account.
I also checked more on use of the 'style' attribuut in general. Apparently before IE 11 the style tag was not only a layout/visual but also security concern in some browsers for extranet/public sites. You could import css and do other nasty stuff. This was before CSP (content security policy) was introduced.
The Cleaner class in lxml still removes these kind of security related css content in the style attribute, also in current Plone 5.2 if I undestand correcty from Maurits' checks and previous post.
FYI there are some i18n issues in the TinyMCE link and image plugins: https://github.com/plone/Products.CMFPlone/issues/3120