Hi all,
I have a Text field that needs to be field with XML data. Everything I press “save”, the XML data is getting filtered.
Is there a way to disable this filtering for a single field?
Thanks
Hi all,
I have a Text field that needs to be field with XML data. Everything I press “save”, the XML data is getting filtered.
Is there a way to disable this filtering for a single field?
Thanks
Try using the commands before saving and after retrieving the data: base64_encode
and base64_decode
.
Or have a look at a function called clean_incoming_data
in include/utils.php
It applies the function secure_xss (with array_map) to each field in $_REQUEST, $_POST and $_GET, for every web request.
It’s completely the wrong way of doing security, and it is in my opinion, the biggest technical debt item in SuiteCRM (and there is a lot of competition for that title). I’d say there are at least 50 or 100 issues on Github caused by this alone.
Yes, the option using encode / decode will not work. The clean_incoming_data
function works before.
Thanks for your comments.
The data is calculated/created by a save hook. For the past years I’ve keep editing the HtmlSanitizer.php to directly return the $dirtyhtml without any modification. This patch is neither secure nor upgrade.
The value can also be returned via an API call to a webform.
Thanks,
I’ve used this approach in the past:
In file custom/modules/EmailTemplates/EmailTemplate.php
:
<?php
if (!defined('sugarEntry') || !sugarEntry) {
die('Not A Valid Entry Point');
}
require_once 'modules/EmailTemplates/EmailTemplate.php';
class CustomEmailTemplate extends EmailTemplate
{
public function cleanBean() {
SugarBean::cleanBean();
$this->body_html = $GLOBALS['RAW_REQUEST']['body_html'];
}
}
By overriding the function cleanBean (which calls cleanHtml) you can sometimes circumvent the entire scheme. In this case, I do it just for a single field. I actually let the clean up occur, but then revert to the original value…
You can adapt that to other modules.