I want to import an existing HTML table into one of the pages on my site, using the HTML option in the editor, but a vital Javascript tag in one of the columns is stripped out:

<script language="JavaScript" type="text/javascript">
protectmail("treasurer", "myorg.uk", "Email Treasurer", "Treasurer Enquiry");
</script>

How can I configure things so that SS/TinyMCE doesn't strip out my tags, and in fact treats me as an adult and allows me to paste in what I want?

I got this solved in the end by changing the settings in LeftAndMain.php to this:

'valid_elements' => "*

• ",
  'extended_valid_elements' => "*
• "

  Maybe this is overkill (I suspect that it's only the extended_valid_elements which really needs to be opened up like this), but at least I can now paste the HTML in without all the tags being stripped out.

  I still can't actually see the content of the tags in the editor but at least they're now present when I view with the HTML button.

Hi

I'm very interested because I have tried this to add a paypalform but it is not working

It strips select and option tag

Do you have nay clue

Thanks

Here is the form :

<form target="paypal" action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="hosted_button_id" value="10216291">
<table>
<tr><td><input type="hidden" name="on0" value="PAYS">PAYS</td></tr><tr><td><select name="os0">
<option value="France métropolitaine">France métropolitaine €6,00</option>
<option value="Dom-Tom et Étranger">Dom-Tom et Étranger €8,00</option>
</select> </td></tr>
</table>
<input type="hidden" name="currency_code" value="EUR">
<input type="image" src="https://www.paypal.com/fr_FR/FR/i/btn/btn_cart_LG.gif" border="0" name="submit" alt="PayPal - la solution de paiement en ligne la plus simple et la plus sécurisée !">
<img alt="" border="0" src="https://www.paypal.com/fr_FR/i/scr/pixel.gif" width="1" height="1">
</form>

Rather than allowed entry of javascript from the CMS (which is a bit of a security/XSS nightmare), why not code it into the template or page class? This is the 'best-practise' safe and stable method.

Rather ironically, the forum seems to have stripped out some of my code in the solution I mentioned. Here it is again, formatted (I hope) so it remains intact:

'valid_elements' => "*
",
'extended_valid_elements' => "*
"

Let's hope that survives!

Well, bizarrely, that didn't survive either. What it should be in each case is:

open double quote, asterisk, open square bracket, asterisk, close square bracket, close double quote

It would be good if the forum didn't mess with stuff you enclose within a code block.

Romeo - might be easier if you post the code to something like pastie.org then copy a link to that snippet here :D

It seems that this solution, which was working in 2.3.3, no longer works in 2.3.4. The 'valid_elements' and 'extended_valid_elements' are no longer set in LeftAndMain.php but in cms/_config.php, via HtmlEditorConfig::get('cms')->setOptions. But now using the wildcard approach to allow all tags, as mentioned above, doesn't work - the content of the Javascript tags is still being stripped. I presume something else now needs to be done instead (or as well). Any suggestions?

As to the security risk of allowing Javascript, which Hamish cautioned about, surely it depends on who is going to be doing the editing. If one is not opening up the CMS editing capabilities to the general public but to a trusted group of 3 or 4 known content editors, one should be able to allow such things. This is causing me quite a lot of problems at the moment. I'm converting over a simple site I did prior to working with Silverstripe, and one page which features embedded Javascript tags for an availability calendar script has taken me much longer so far than the whole of the rest of the site.