Enonic version: 7.8.3
Hi!
When I try to use portalLib.sanitizeHtml() to sanitize input from an HtmlArea which I have already processed with portalLib.processHtml(), it removes the macros in use.
So, if I want to sanitize an editors input from an HtmlArea, they will not be able to use macros (for example from your app Social Macros) as they are removed.
Can this be fixed, so we can use both sanitizeHtml and macros?
Regards,
Vigdis
sanitizeHtml is used to make some untrusted HTML safer. It allows only very basic tags and no scripts or iframes. H handful function to sanitize user-input (blog post comments, for instance) before it is stored.
processHtml is a function that generates trusted HTML from HtmlArea. Since it is trusted, sanitizeHtml should not be applied to it.
How can you say that HTML from HtmlArea is trusted?
We don’t know if we can trust editors and users, and user defined HTML shouldn’t be trusted.
Is it possible to modify sanitizeHtml to work on content from HtmlArea after it has been processed by processHtml?
Example of an input from an HtmlArea with some text and a Youtube video (by using the Social Macros app):
<p>HtmlArea with <strong>bold</strong>, <em>italic</em>, and <u>underline</u>!</p>
<p>And a youtube video:</p>
<p>[youtube title="Enonic video" url="https://www.youtube.com/watch?v=clH9eIoMcJ8"/]</p>
<p> </p>
If I use processHtml of this I get
<p>HtmlArea with <strong>bold</strong>, <em>italic</em>, and <u>underline</u>!</p>
<p>And a youtube video:</p>
<p><!--#MACRO _name="youtube" title="Enonic video" url="https://www.youtube.com/watch?v=clH9eIoMcJ8" _document="__macroDocument1" _body=""--></p>
<p> </p>
If I then use sanitizeHtml of this, the macro is removed, and I am left with
<p>HtmlArea with <strong>bold</strong>, <em>italic</em>, and <u>underline</u>!</p>
<p>And a youtube video:</p>
<p></p>
<p> </p>
Could it be possible to not remove the <!--#MACRO _name="youtube" title="Enonic video" url="https://www.youtube.com/watch?v=clH9eIoMcJ8" _document="__macroDocument1" _body=""--> with sanitizeHtml so this can be used in Enonic to actually allow the macro to be shown? 
If you don’t trust content editors you can’t safely allow macro either. Comment instructions could be manually injected with unwanted site effects. We plan to improve security of HtmlArea in the near future Sanitize HtmlArea on save. Server side · Issue #9294 · enonic/xp · GitHub
You may, of curse, write your own customSanitazeHtml with your own rules.
Note, however that MACRO instruction comment is an implementation detail of XP - it is not documented.