Jump to:

23001 Posts in 11702 Topics by 2827 members

General Questions

SilverStripe Forums » General Questions » Editor strips out Javascript tags

General questions about getting started with SilverStripe that don't fit in any of the categories above.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Page: 1 2 3
Go to End
Author Topic: 5084 Views
  • Romeo
    Avatar
    Community Member
    67 Posts

    Editor strips out Javascript tags Link to this post

    I want to import an existing HTML table into one of the pages on my site, using the HTML option in the editor, but a vital Javascript tag in one of the columns is stripped out:

    <script language="JavaScript" type="text/javascript">
    protectmail("treasurer", "myorg.uk", "Email Treasurer", "Treasurer Enquiry");
    </script>

    How can I configure things so that SS/TinyMCE doesn't strip out my tags, and in fact treats me as an adult and allows me to paste in what I want?

  • Romeo
    Avatar
    Community Member
    67 Posts

    Re: Editor strips out Javascript tags Link to this post

    I got this solved in the end by changing the settings in LeftAndMain.php to this:

    'valid_elements' => "*

    • ",
      'extended_valid_elements' => "*
    • "

      Maybe this is overkill (I suspect that it's only the extended_valid_elements which really needs to be opened up like this), but at least I can now paste the HTML in without all the tags being stripped out.

      I still can't actually see the content of the tags in the editor but at least they're now present when I view with the HTML button.

  • servalman
    Avatar
    Community Member
    211 Posts

    Re: Editor strips out Javascript tags Link to this post

    Hi

    I'm very interested because I have tried this to add a paypalform but it is not working

    It strips select and option tag

    Do you have nay clue

    Thanks

    Here is the form :

    <form target="paypal" action="https://www.paypal.com/cgi-bin/webscr" method="post">
    <input type="hidden" name="cmd" value="_s-xclick">
    <input type="hidden" name="hosted_button_id" value="10216291">
    <table>
    <tr><td><input type="hidden" name="on0" value="PAYS">PAYS</td></tr><tr><td><select name="os0">
       <option value="France métropolitaine">France métropolitaine €6,00</option>
       <option value="Dom-Tom et Étranger">Dom-Tom et Étranger €8,00</option>
    </select> </td></tr>
    </table>
    <input type="hidden" name="currency_code" value="EUR">
    <input type="image" src="https://www.paypal.com/fr_FR/FR/i/btn/btn_cart_LG.gif" border="0" name="submit" alt="PayPal - la solution de paiement en ligne la plus simple et la plus sécurisée !">
    <img alt="" border="0" src="https://www.paypal.com/fr_FR/i/scr/pixel.gif" width="1" height="1">
    </form>

  • Hamish
    Avatar
    Community Member
    712 Posts

    Re: Editor strips out Javascript tags Link to this post

    Rather than allowed entry of javascript from the CMS (which is a bit of a security/XSS nightmare), why not code it into the template or page class? This is the 'best-practise' safe and stable method.

  • Romeo
    Avatar
    Community Member
    67 Posts

    Re: Editor strips out Javascript tags Link to this post

    Rather ironically, the forum seems to have stripped out some of my code in the solution I mentioned. Here it is again, formatted (I hope) so it remains intact:

    'valid_elements' => "*

    • ",
      'extended_valid_elements' => "*
    • "

    Let's hope that survives!

  • Romeo
    Avatar
    Community Member
    67 Posts

    Re: Editor strips out Javascript tags Link to this post

    Well, bizarrely, that didn't survive either. What it should be in each case is:

    open double quote, asterisk, open square bracket, asterisk, close square bracket, close double quote

    It would be good if the forum didn't mess with stuff you enclose within a code block.

  • Willr
    Avatar
    Forum Moderator
    5462 Posts

    Re: Editor strips out Javascript tags Link to this post

    Romeo - might be easier if you post the code to something like pastie.org then copy a link to that snippet here

  • Romeo
    Avatar
    Community Member
    67 Posts

    Re: Editor strips out Javascript tags Link to this post

    It seems that this solution, which was working in 2.3.3, no longer works in 2.3.4. The 'valid_elements' and 'extended_valid_elements' are no longer set in LeftAndMain.php but in cms/_config.php, via HtmlEditorConfig::get('cms')->setOptions. But now using the wildcard approach to allow all tags, as mentioned above, doesn't work - the content of the Javascript tags is still being stripped. I presume something else now needs to be done instead (or as well). Any suggestions?

    As to the security risk of allowing Javascript, which Hamish cautioned about, surely it depends on who is going to be doing the editing. If one is not opening up the CMS editing capabilities to the general public but to a trusted group of 3 or 4 known content editors, one should be able to allow such things. This is causing me quite a lot of problems at the moment. I'm converting over a simple site I did prior to working with Silverstripe, and one page which features embedded Javascript tags for an availability calendar script has taken me much longer so far than the whole of the rest of the site.

    5084 Views
Page: 1 2 3
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.