solved CSS Being Stripped

Below are comparative screenshots of a blog I posted ( cut and pasted from my Ning site ) yesterday. The bulk of the styling cannot be seen by a non logged in viewer. I have tested this on two other machines in the house and on various browsers just to be sure. I still have the issue of blog posts appearing completely differently to logged in users and casual browsers. The first screenshot below is a view of the post as it should appear and DOES if you view it as a logged in user. I have tested this with 2 admin accounts and the user account which owns the blog. I have also tested this with a logged in user who is NOT an admin OR the post owner. That user was able to see the styling ok.

In the second screenshot you can see how the post appears to a non logged in viewer ( here anyway ). It is minus radius and hr styling and the css nav bubbles are totally absent.




--
Ceri Shaw - AmeriCymru
updated by @adolygwr: 03/23/16 07:41:12AM

It doesn't make sense that it would appear different to a logged in user versus a logged out user - I have no idea why you would see that.

As for the HTML, if you're cutting and pasting from another site INTO Jamroom, then it could be that there are attributes on the HTML tags that Jamroom is not setup to "allow" (some for security reasons).

Your screenshots also did not come through correct - can you try posting them again? If you can, also attach a ZIP file of the actual HTML you are pasting into the editor's "HTML" window so I can test it here and see if there are attributes being removed that can be allowed.

Hope this helps!


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net

Hi Brian ...here are the screenshots and code for the above page. Here is the url:-

http://americymrunet.jamroomhosting.com/americymru/blog/4193/glyndwrs-dream-by-john-good-part-1


--
Ceri Shaw - AmeriCymru
updated by @adolygwr: 12/04/15 10:40:34AM

Perfect - thank you. I'm checking this out and will see what's up.


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net

I'm not seeing any issue with this here - logged in our out, it is the same. I do see however that the "align" parameter is not being allowed on some of the elements (p, div, tr) and I have that fixed for 5.3.0b8.

One followup question - are you posting these blog entries as an admin/master user or as a regular user account? And you've checked that you're allowing "div" in your Allowed HTML tags for the quota?

Thanks!


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net

Is there some sort of container ( not sure thats the correct term) where you have that code posted and maybe the settings for that particular spot are overriding your editor code?
Like if its in an area controlled by blog quotas there may be an if statement that says only show this "particular area" to logged in users...
Just thinking out loud while I read your post- its not really advice just some different lines to think along

Ok im starting to sober up so im outta here
updated by @derrickhand300: 12/06/15 12:35:15AM

Hi Brian

Some of the posts have been copied using my master/administrator account and others using a regular account. I enclose screenshots of everything I have in my Allowed HTML Tags field.

I was wondering....did you add permission for hr styling to todays core update? I ask because formerly my posts were displaying without hr styling for logged out viewers. Now they are displaying with no horizontal rules at all. I have no idea why that would be the case but thought it might provide some sort of clue? (see comparison shots below)

I was away over the weekend and tested the site on a friends computer with the same result vis a vis missing styling when logged out.


--
Ceri Shaw - AmeriCymru
updated by @adolygwr: 12/08/15 05:27:46PM

Hi Derrick

None that I'm aware of....still scratching my head!


--
Ceri Shaw - AmeriCymru

I see it differently logged in vs logged out.

Looking for why now, thanks.

--edit--
I can see WHAT is happening, all the non-pure css stuff is getting removed.

So:
is getting removed. That CSS only targets certain browsers.

Not sure about WHY yet.
updated by @michael: 12/09/15 01:14:11AM

I've just done a full investigation of this over the last day, and there's no work around for allowing some of this CSS that HTML Purifier considers potentially "malicious". Basically any CSS property (this case background gradients and borders) that can have an "opacity" value, can be used to "hide" the HTML element in some way (which is why it is considered malicious), or has the ability to break the HTML of the site (by rendering portions visible or not visible).

I've tried building custom rules for this, but have not been able to come up with something that works correctly.

So in this case what you need to do is:

- create a quota for your "trusted" users and put your own profile in that quota
- in the Core -> Quota Config check the "allow ALL HTML tags" option for the new quota

This will allow all the HTML with the style to be saved correctly.

We do still have the issue of visitors not seeing the same thing which is still being investigated, but at least this will get all your HTML into the blog.


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net
updated by @brian: 12/09/15 06:26:53AM

I've got the issue where it looks different to logged out users fixes for 5.3.0b9.

Thanks!


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net

Great news!!! Any idea when 5.3.0b9 will be released??


--
Ceri Shaw - AmeriCymru

Very soon - next couple days.


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net