Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

General Questions /

General questions about getting started with SilverStripe that don't fit in any of the categories above.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Editor strips out Javascript tags


Go to End
Reply


23 Posts   5795 Views

Avatar
Romeo

Community Member, 67 Posts

9 December 2009 at 4:30am

I want to import an existing HTML table into one of the pages on my site, using the HTML option in the editor, but a vital Javascript tag in one of the columns is stripped out:

<script language="JavaScript" type="text/javascript">
protectmail("treasurer", "myorg.uk", "Email Treasurer", "Treasurer Enquiry");
</script>

How can I configure things so that SS/TinyMCE doesn't strip out my tags, and in fact treats me as an adult and allows me to paste in what I want?

Avatar
Romeo

Community Member, 67 Posts

10 December 2009 at 7:17am

I got this solved in the end by changing the settings in LeftAndMain.php to this:

'valid_elements' => "*

  • ",
    'extended_valid_elements' => "*
  • "

    Maybe this is overkill (I suspect that it's only the extended_valid_elements which really needs to be opened up like this), but at least I can now paste the HTML in without all the tags being stripped out.

    I still can't actually see the content of the tags in the editor but at least they're now present when I view with the HTML button.

Avatar
servalman

Community Member, 211 Posts

10 December 2009 at 7:57am

Hi

I'm very interested because I have tried this to add a paypalform but it is not working

It strips select and option tag

Do you have nay clue

Thanks

Here is the form :

<form target="paypal" action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="hosted_button_id" value="10216291">
<table>
<tr><td><input type="hidden" name="on0" value="PAYS">PAYS</td></tr><tr><td><select name="os0">
   <option value="France métropolitaine">France métropolitaine €6,00</option>
   <option value="Dom-Tom et Étranger">Dom-Tom et Étranger €8,00</option>
</select> </td></tr>
</table>
<input type="hidden" name="currency_code" value="EUR">
<input type="image" src="https://www.paypal.com/fr_FR/FR/i/btn/btn_cart_LG.gif" border="0" name="submit" alt="PayPal - la solution de paiement en ligne la plus simple et la plus sécurisée !">
<img alt="" border="0" src="https://www.paypal.com/fr_FR/i/scr/pixel.gif" width="1" height="1">
</form>

Avatar
Hamish

Community Member, 712 Posts

10 December 2009 at 8:27am

Rather than allowed entry of javascript from the CMS (which is a bit of a security/XSS nightmare), why not code it into the template or page class? This is the 'best-practise' safe and stable method.

Avatar
Romeo

Community Member, 67 Posts

10 December 2009 at 8:28am

Rather ironically, the forum seems to have stripped out some of my code in the solution I mentioned. Here it is again, formatted (I hope) so it remains intact:

'valid_elements' => "*

  • ",
    'extended_valid_elements' => "*
  • "

Let's hope that survives!

Avatar
Romeo

Community Member, 67 Posts

10 December 2009 at 8:32am

Well, bizarrely, that didn't survive either. What it should be in each case is:

open double quote, asterisk, open square bracket, asterisk, close square bracket, close double quote

It would be good if the forum didn't mess with stuff you enclose within a code block.

Avatar
Willr

Forum Moderator, 5513 Posts

10 December 2009 at 12:06pm

Romeo - might be easier if you post the code to something like pastie.org then copy a link to that snippet here :D

Avatar
Romeo

Community Member, 67 Posts

14 December 2009 at 11:16pm

It seems that this solution, which was working in 2.3.3, no longer works in 2.3.4. The 'valid_elements' and 'extended_valid_elements' are no longer set in LeftAndMain.php but in cms/_config.php, via HtmlEditorConfig::get('cms')->setOptions. But now using the wildcard approach to allow all tags, as mentioned above, doesn't work - the content of the Javascript tags is still being stripped. I presume something else now needs to be done instead (or as well). Any suggestions?

As to the security risk of allowing Javascript, which Hamish cautioned about, surely it depends on who is going to be doing the editing. If one is not opening up the CMS editing capabilities to the general public but to a trusted group of 3 or 4 known content editors, one should be able to allow such things. This is causing me quite a lot of problems at the moment. I'm converting over a simple site I did prior to working with Silverstripe, and one page which features embedded Javascript tags for an availability calendar script has taken me much longer so far than the whole of the rest of the site.

Go to Top