Page 1 of 1

TinyMCE and HTML Tags strip before save article

Posted: Tue Apr 21, 2009 10:46 pm
by pcollet
Hi,

I'm using tinymce to edit article on the frontend.
I need to add a link with a popup (<a href="..." onclick=".....">)
For devil reason, when i save the article, the onclick function is stripped out.

Is someone know which file make the analysis of the content of article before saving it ?

ans especially is it done in javascript file or php file (it seems it is in a php file but I don't knwo which one and in whiche function)

Regards.
And thank for any help

Re: TinyMCE and HTML Tags strip before save article

Posted: Wed Apr 22, 2009 12:06 am
by airton
pcollet wrote:Hi,

I'm using tinymce to edit article on the frontend.
I need to add a link with a popup (<a href="..." onclick=".....">)
For devil reason, when i save the article, the onclick function is stripped out.

Is someone know which file make the analysis of the content of article before saving it ?

ans especially is it done in javascript file or php file (it seems it is in a php file but I don't knwo which one and in whiche function)

Regards.
And thank for any help
Since a few releases ago, Joomla! has a content filtering feature that blacklists (by default) some html tags and attributes, but you can set it to suit your needs.

In the back-end, go to Contents --> Article Manager then click on the "Parameters" button in the toolbar. Scroll all the way down and you'll find the "Filtering Options".

To set it so the super-admin can enter whatever tags and attributes he/she wants, you have select Super Administrator in the "Group Options", then choose "whitelist" for the "Filter Type".

You can work out what options are best for your site. You can white list every user (choose Public Frontend in the group) or narrow it down as needed. You can also extend the blacklisted tags/attributes by filling the desired ones in the "Filter Tags" and "Filter Attributes" fields.

Hope this helps,

Re: TinyMCE and HTML Tags strip before save article

Posted: Wed Apr 22, 2009 9:17 am
by pcollet
Thanks for your reply.

If i want to allow 'onclick' attributes inside a href. What should I do ?

I've tried to select all user, add tags "ref", add attributes "onclick", and select whitelist.

But now, all html are stripped out (Only text is stayed).

I'm not sure it is at this step the "onclick" is filtered out. do you know which php file manage this contente filtering. I want to check directly inside the code if the "onclick" is not filter before.

(I havenot the problem on a standard site, but i have it on a website that use a lot of symbolic link. So I want to look where is my problem and where does it come from).

Regards

Re: TinyMCE and HTML Tags strip before save article

Posted: Wed Apr 22, 2009 8:36 pm
by pcollet
My problem was solved (not the good way but it works).

Issue :

When I use the button "edit/insert link" of TinyMCE on front-end to create a popup, it generates html tag href with a onclick event. This event are stripped out when the article is stored in database.

The "problem" comes from the file filterinput.php (Joomla/libraries/filter) (function __cleanAttributes that automatically strip out any attributes beginning by "on".

Temporary solution :

I suppress in filterinput.php the condition for this removal.

I don't if it is good for security reasons but I think we should have a regular solution for that problem to fit with tinyMCE that allow popup creation.

Re: TinyMCE and HTML Tags strip before save article

Posted: Thu Apr 23, 2009 12:00 am
by airton
Hello again,

Did you try to disable the code cleanup in the Editor - TinyMCE 2.0 plugin?

Go to Extensions --> Plugin Manager and edit the "Editor - TinyMCE 2.0" plugin. Then change the "Code Cleanup on Save" option to "Never" or "Front Only" and/or the "Do Not Cleanup HTML Entities" option to "Yes", then save.

Regards,

Re: TinyMCE and HTML Tags strip before save article

Posted: Thu Apr 23, 2009 9:36 pm
by pcollet
Hi,

It is great to have a guru that follow my issue (thanks for that).

I do no change default parameter of tinymce plugin.
To my mind, the plugin is not involved in my issu as when i trace some var in debug mode, i found that the whole conten with onclicj event is well received by the server (var_dump($data)).

I have opened the bug tracker #16110.

To my mind the issue comes from the conditional test in cleanattribtutes
function in Jfilterinput and especially the last part that block any event 'onclick, onblur'.

"if ((!preg_match('/[a-z]*$/i', $attrSubSet[0])) || (($this->xssAuto)
&& ((in_array(strtolower($attrSubSet[0]), $this->attrBlacklist)) ||
(substr($attrSubSet[0], 0, 2) == 'on')))) "

Re: TinyMCE and HTML Tags strip before save article

Posted: Thu Apr 23, 2009 9:48 pm
by airton
Hi,

Your issue is being taken care by the JBS.

We'll soon have a final status on that.

Regards,

Re: TinyMCE and HTML Tags strip before save article

Posted: Tue Jun 16, 2009 7:13 am
by Shinteetah
airton wrote:Go to Extensions --> Plugin Manager and edit the "Editor - TinyMCE 2.0" plugin. Then change the "Code Cleanup on Save" option to "Never" or "Front Only" and/or the "Do Not Cleanup HTML Entities" option to "Yes", then save.
Thank you! This helped with an issue for me. :)

Re: TinyMCE and HTML Tags strip before save article

Posted: Wed Aug 26, 2009 11:39 am
by ewrwerwer
airton wrote: Since a few releases ago, Joomla! has a content filtering feature that blacklists (by default) some html tags and attributes, but you can set it to suit your needs.

In the back-end, go to Contents --> Article Manager then click on the "Parameters" button in the toolbar. Scroll all the way down and you'll find the "Filtering Options".

To set it so the super-admin can enter whatever tags and attributes he/she wants, you have select Super Administrator in the "Group Options", then choose "whitelist" for the "Filter Type".

You can work out what options are best for your site. You can white list every user (choose Public Frontend in the group) or narrow it down as needed. You can also extend the blacklisted tags/attributes by filling the desired ones in the "Filter Tags" and "Filter Attributes" fields.

Hope this helps,
Does this apply to modules or just articles?

Re: TinyMCE and HTML Tags strip before save article

Posted: Wed Aug 26, 2009 12:01 pm
by airton
Hi ewrwerwer,

This goes only for articles. There are no filtering options for modules, although the editor itself - if used - may have some code cleanup settings that might strip some html tags and attributes.

Re: TinyMCE and HTML Tags strip before save article

Posted: Wed Aug 26, 2009 12:16 pm
by ewrwerwer
Thanks for the reply Airton!

Do you have any idea where (or what) the best place (or code) to search for might be? The edit form of the module in question does not appear to lead to anything that would strip out HTML yet is does so! I simply don't know where to look :(

Re: TinyMCE and HTML Tags strip before save article

Posted: Wed Aug 26, 2009 12:30 pm
by airton
ewrwerwer wrote:Thanks for the reply Airton!

Do you have any idea where (or what) the best place (or code) to search for might be? The edit form of the module in question does not appear to lead to anything that would strip out HTML yet is does so! I simply don't know where to look :(
Sorry, it's hard to tell without looking at the module's code, because it could be the module itself doing the cleanup, or it could be using the core methods, or both.

Re: TinyMCE and HTML Tags strip before save article

Posted: Wed Aug 26, 2009 1:14 pm
by ewrwerwer
Thanks so much. I don't think it's the module. Can I just ask where I'd look for the core method?

Re: TinyMCE and HTML Tags strip before save article

Posted: Mon Nov 14, 2011 4:28 am
by inyong
airton wrote:
pcollet wrote:Hi,

I'm using tinymce to edit article on the frontend.
I need to add a link with a popup (<a href="..." onclick=".....">)
For devil reason, when i save the article, the onclick function is stripped out.

Is someone know which file make the analysis of the content of article before saving it ?

ans especially is it done in javascript file or php file (it seems it is in a php file but I don't knwo which one and in whiche function)

Regards.
And thank for any help
Since a few releases ago, Joomla! has a content filtering feature that blacklists (by default) some html tags and attributes, but you can set it to suit your needs.

In the back-end, go to Contents --> Article Manager then click on the "Parameters" button in the toolbar. Scroll all the way down and you'll find the "Filtering Options".

To set it so the super-admin can enter whatever tags and attributes he/she wants, you have select Super Administrator in the "Group Options", then choose "whitelist" for the "Filter Type".

You can work out what options are best for your site. You can white list every user (choose Public Frontend in the group) or narrow it down as needed. You can also extend the blacklisted tags/attributes by filling the desired ones in the "Filter Tags" and "Filter Attributes" fields.

Hope this helps,
Thanks, my problem solved by this. :)

Re: TinyMCE and HTML Tags strip before save article

Posted: Fri Feb 03, 2012 5:25 am
by dchktester
airton wrote:
pcollet wrote:Hi,

I'm using tinymce to edit article on the frontend.
I need to add a link with a popup (<a href="..." onclick=".....">)
For devil reason, when i save the article, the onclick function is stripped out.

Is someone know which file make the analysis of the content of article before saving it ?

ans especially is it done in javascript file or php file (it seems it is in a php file but I don't knwo which one and in whiche function)

Regards.
And thank for any help
Since a few releases ago, Joomla! has a content filtering feature that blacklists (by default) some html tags and attributes, but you can set it to suit your needs.

In the back-end, go to Contents --> Article Manager then click on the "Parameters" button in the toolbar. Scroll all the way down and you'll find the "Filtering Options".

To set it so the super-admin can enter whatever tags and attributes he/she wants, you have select Super Administrator in the "Group Options", then choose "whitelist" for the "Filter Type".

You can work out what options are best for your site. You can white list every user (choose Public Frontend in the group) or narrow it down as needed. You can also extend the blacklisted tags/attributes by filling the desired ones in the "Filter Tags" and "Filter Attributes" fields.

Hope this helps,
It works for only admin user and super admin user,,,but manager user=.=,,,
what can i do?

Re: TinyMCE and HTML Tags strip before save article

Posted: Fri Mar 30, 2012 10:55 pm
by status360
I have no filtering set on Super User on Joomla! version 2.5.3 my tags are still being stripped?!?

:'( :(

Re: TinyMCE and HTML Tags strip before save article

Posted: Fri Apr 27, 2012 1:26 pm
by harshal53
i have the problem to show data on front end of content table but there is HTML tags come with the data..plz give me solution.

i find out the function str_ireplace(),but it also didnt work..

Re: TinyMCE and HTML Tags strip before save article

Posted: Fri Apr 27, 2012 2:03 pm
by harshal53
hey...!! i solve the problem of showing data with HTML tags on front end....use the strip_tag($var),$var="the variable in which the data store with HTML tags"...

thanks to my seniors

Re: TinyMCE and HTML Tags strip before save article

Posted: Fri Apr 27, 2012 2:11 pm
by harshal53
htmlspecialchars — Convert special characters to HTML entities

Certain characters have special significance in HTML, and should be represented by HTML entities if they are to preserve their meanings. This function returns a string with these conversions made. If you require all HTML character entities to be translated, use htmlentities() instead.


this will surely work for vice versa of my problem... :eek: