Author Topic: There is a validation error with your html input. (Read 8127 times)

Donald Lobo · September 01, 2010, 05:55:45 am

can u please double check

msg_text should be an exception, i.e. not counted in total impact. but still seems to appear

lobo

dschafer · September 01, 2010, 09:27:50 am

This is seems to be related to edit only certain system messages.

The way IDS is written there are certain entire paths that are automatically skipped.

Code: [Select]

      static $skip = array( 'civicrm/ajax', 'civicrm/admin/setting/updateConfigBackend', 'civicrm/admin/messageTemplates' );

one of those is 'civicrm/admin/messageTemplates'

When a system message template is edited the path is 'civicrm/admin/messageTemplates/add'
For most templates when a template is saved the target path is 'civicrm/admin/messageTemplates' (ie. pledge acknowlegement message)

This causes all IDS processing to be skipped for the template.

However when you edit the offline reciept message. The target path on save is:
'civicrm/admin/messageTemplates/add'

As a result the message is not skipped and the subsequent filters do nothing (msg_text which appears to be the offending field) in not excepted from the check.

Since the path check uses, in_array I assume it is and exact match. As a work around I will try adding 'civicrm/admin/messageTemplates/add' as a bypass.

However this does not explain the root issue of different templates having different target paths.

dschafer · September 01, 2010, 09:34:00 am

Updating the skip list appears to be a successful work around.

I've attached the updated IDS.php file.

Dave Greenberg · September 02, 2010, 12:44:15 pm

FYI - this fix (adding msg_text to the exceptions list in IDS.php) was committed and part of 3.2.2.

dschafer · September 03, 2010, 06:23:46 am

Dave.
My workaround wasn't in the expection list. Actually, I don't think the exception list is working at all.

The problem is that for some messages the inbound path is different 'civicrm/admin/messageTemplates/add' vs. 'civicrm/admin/messageTemplates'

The skip list at the begining of the function by passes IDS for all system message templates (if the inbound path is 'civicrm/admin/messageTemplates' )

What I found is that for certian messages the inbound path is 'civicrm/admin/messageTemplates/add' which caused them to pass through the normal IDS processing. In this case the exception list did not appear to work.

My work around just masks the problem. I believe there is still an issue.

We just upgraded a client to 3.2.2 I'll check it out there.

Donald Lobo · September 03, 2010, 09:03:18 am

hmm

pretty sure the exception stuff is working

if i had to guess, your Config.IDS.ini did not regenerate and it was using an old cached version.

lobo

jday · September 03, 2010, 01:52:05 pm

does the 3.2.2 update also fix the issue Joemaine talked about in post #9? besides the validation error when trying to add our logo to the message templates, I'm also getting the problems with the event info block killing my theme in IE, all other browsers display the event info fine but in IE the left side bar drops below the event content.

Donald Lobo · September 03, 2010, 08:58:51 pm

not sure since most of us dont have or use IE. You should download and check if it is fixed. If not, please consider investigating and submitting a patch

thanx

lobo

jday · September 06, 2010, 08:07:55 pm

follow up

I've updated to 3.2.2 and that did fix the validation error when adding my logo to the event receipt email template. And partially fixed the event info display problem on IE, now the event info does not destroy the sidebar and main content area layout but now spits this error at the bottom:

Sorry. A non-recoverable error has occurred.
The page you requested is currently unavailable.

CiviTeacher.com · September 07, 2010, 03:50:29 pm

I was getting this error, and I don't use any WYSIWYG. After an upgrade to 3.2.2 from 3.2.1, I deleted ConfigIDS.ini and let CiviCRM rebuild it. Then the error went away. Just FYI.

joemaine · October 15, 2010, 08:08:42 pm

Just updated to 3.2.3 and the CiviCRM/CKEditor problems sending the nav bar to the bottom of the page (in IE) is still an issue. At least before I could change to textarea and resolve the issue, now I can't seem to fix the bad HTML code that gets generated from the CKEditor version that Civi is using. 75% of my site visitors use IE, so this is a significant issue for my traffic.

CkEditor in CiviCRM somehow strips out the closing ">" from any code entered in the content.

Rahul Bile · October 16, 2010, 10:43:00 am

joemaine ,

Quote

CkEditor in CiviCRM somehow strips out the closing ">" from any code entered in the content

hey joemaine, can just apply the below patch , should solve your above problem.

Code: [Select]

Index: branches/v3.2/packages/HTML/QuickForm.php
===================================================================
diff -u -N -r29285 -r29759
--- branches/v3.2/packages/HTML/QuickForm.php	(.../QuickForm.php)	(revision 29285)
+++ branches/v3.2/packages/HTML/QuickForm.php	(.../QuickForm.php)	(revision 29759)
@@ -1989,7 +1989,7 @@
                 
                 // hack to fix extra <br /> injected by CKEDITOR, we should remove this code
                 // once the bug is fixed and is part of release https://dev.fckeditor.net/ticket/5293
-                if ( is_a( $this->_elements[$key], 'HTML_QuickForm_CKeditor' ) ) {
+                if ( is_a( $this->_elements[$key], 'HTML_QuickForm_CKeditor' ) && $value[$fldName] == '<br />' ) {
                     $value[$fldName] = rtrim( CRM_Utils_Array::value( $fldName, $value ), '<br />');
                 }

or

https://fisheye2.atlassian.com/viewrep/CiviCRM/branches/v3.2/packages/HTML/QuickForm.php?r1=29285&r2=29759

Hth

Regards,
Rahul.

joemaine · October 16, 2010, 03:40:56 pm

Wonderful! It works; thank you SO much!

Interpolat · September 28, 2012, 11:11:58 am

Ok, it is two years since this issue was discussed here at least. I am using CiviCRM 4.2.2 on Wordpress 3.4.2. I have created a custom "Note" field which when I set to use RichTextEditor, I get the following error if I do any HTML formating in the field:

Quote

{"IP":"xxx.xxx.x.xxx","error_code":"IDS_KICK","level":"security","referer":"http:\/\/www.mysite.org\/wp-admin\/admin.php?page=CiviCRM&q=civicrm\/contact\/view\/cd\/edit&tableId=637&cid=637&groupID=8&action=update&reset=1","reason":"XSS suspected","is_error":1,"error_message":"There is a validation error with your HTML input. Your activity is a bit suspicious, hence aborting"}

However, when I set this to "TextArea" everything works fine. I have another Note field on the same form, also using RichTextEditor, yet that field does not throw an error.
ps: I first noticed this using CiviCRM 4.2.1 and thought it would resolve with the next update, but I have now updated to 4.2.2 and issue persists.

Interpolat · October 01, 2012, 08:26:35 am

Should I just push this to issue-tracker?

CiviCRM Community Forums (archive)

News:

Author Topic: There is a validation error with your html input. (Read 8127 times)

Donald Lobo

Re: There is a validation error with your html input.

dschafer

Re: There is a validation error with your html input.

dschafer

Re: There is a validation error with your html input.

Dave Greenberg

Re: There is a validation error with your html input.

dschafer

Re: There is a validation error with your html input.

Donald Lobo

Re: There is a validation error with your html input.

jday

Re: There is a validation error with your html input.

Donald Lobo

Re: There is a validation error with your html input.

jday

Re: There is a validation error with your html input.

CiviTeacher.com

Re: There is a validation error with your html input.

joemaine

Re: There is a validation error with your html input.

Rahul Bile

Re: There is a validation error with your html input.

joemaine

Re: There is a validation error with your html input.

Interpolat

Re: There is a validation error with your html input.

Interpolat

Re: There is a validation error with your html input.