How to stop Joomla from stripping HTML tags from form input?

This forum is for general questions about extensions for Joomla! version 1.5.x.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
simonium210
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Mon Mar 23, 2009 5:02 pm

How to stop Joomla from stripping HTML tags from form input?

Post by simonium210 » Mon Mar 23, 2009 5:16 pm

Hi everyone

My Joomla installation keeps removing all HTML tags from form input. I'm using both tinyMCE and FCKeditor, in differnet modules, but joomla keeps stripping away any HTML tags.

I've made sure everybody is whitelisted in the artickes>parameters, so it's not that. Don't really know what else it could be? Has anybody else had this problem?

yours gratefully . . . simonium

TutorOnline
Joomla! Apprentice
Joomla! Apprentice
Posts: 23
Joined: Sat Dec 20, 2008 9:41 am
Location: UK
Contact:

Re: How to stop Joomla from stripping HTML tags from form input?

Post by TutorOnline » Sun Apr 12, 2009 5:26 pm

Hi

I am trawling this forum to find an answer to my HTML form action tag being stripped.

I am trying to enter a form in HTML and Joomla keeps stripping the action tag from the post tag i.e

<form method="post" action="http://www.siteiwanttogoto/index.htmk">

to

<form method="post" >

When I click the save button

Did you ever find an answer to your problem?

Kind regards

Simon
Simon Champion
joomlainformation - central resource for all things Joomla! related - tutorials, reviews, useful links, Joomla! templates
email: [email protected] - web: http://www.joomlainformation.com
Signature rules - 4 lines only.

simonium210
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Mon Mar 23, 2009 5:02 pm

Re: How to stop Joomla from stripping HTML tags from form input?

Post by simonium210 » Tue Apr 14, 2009 10:22 am

I found an answer to my problem alright, I seem to remember posting the solution on the forum but I don't know where it went.

I think what you're looking for is a function in the file "/libraries/phpinputfilter/inputfilter.php", there are two functions called filterTags, and filterAttr respectively, you'll need the look at those functions. (as far as I remember anyway).

hope this helps.

billengle
Joomla! Intern
Joomla! Intern
Posts: 89
Joined: Thu Apr 30, 2009 6:21 pm
Contact:

Re: How to stop Joomla from stripping HTML tags from form input?

Post by billengle » Thu Apr 30, 2009 11:23 pm

I found your response by looking at your previous posts.

Can you elaborate on how you edited those functions? They seem kind of important.


How to stop Joomla from stripping tags from Frontend Input:

edit the file : libraries/joomla/filter/filterinput.php, edit the functions "_cleanTags" and "_remove", problem solved!

billengle
Joomla! Intern
Joomla! Intern
Posts: 89
Joined: Thu Apr 30, 2009 6:21 pm
Contact:

Re: How to stop Joomla from stripping HTML tags from form input?

Post by billengle » Sat May 02, 2009 1:03 am

Anyone know how? Trying to use in my custom component.

simonium210
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Mon Mar 23, 2009 5:02 pm

Re: How to stop Joomla from stripping HTML tags from form input?

Post by simonium210 » Tue May 05, 2009 12:57 pm

sorry for taking so long to get to you, actually the file you need to edit is :
"libraries\joomla\filter\filterinput.php" and the only function you need to edit is the '_remove($source)' function.

I replaced the content of this function with the following code:

Code: Select all

function _remove($source) {

		// prevent php injection
		$source = str_replace("<?", "", $source);
		
		// prevent xss
		$source = str_replace("<script", "", $source);
		$source = str_replace("</script>", "", $source);
		
		// prevent sql injection
		$source = str_replace("'", "'", $source);
		
		return $source;
}
I don't know if Joomla's more senior coder's would approve of this method, and there may some security concerns here, I'm not sure, but it fixed the problem for me.

I hope this helps.

AmyStephen
Joomla! Champion
Joomla! Champion
Posts: 7018
Joined: Wed Nov 22, 2006 3:35 pm
Location: Nebraska
Contact:

Re: How to stop Joomla from stripping HTML tags from form input?

Post by AmyStephen » Tue May 05, 2009 2:06 pm

In Joomla! 1.5.8 (I believe), a default was changed to enable input filtering for Articles. At that time, many people noticed HTML was stripped from input. This change was made for security purposes.

You can adjust text filtering to meet your needs. Here is a wiki entry explaining how to do that: http://docs.joomla.org/Why_does_some_HT ... n_1.5.8%3F

I cannot think of any examples with Joomla! 1.5 where I would recommend a core hack. It would be a good idea to force yourself to not do so - but instead use Google's Advanced Search - and enter joomla.org for the domain - to see if you can find better information. This filter change was also described in the release notes - so, I encourage reading those details when you upgrade.

Hopefully, you backed up the core file you changed. I recommend putting it back to it's delivered state. If you didn't back up the file, you can download a new copy of Joomla!, unzip the distribution into a temporary file, and recover the core file in that manner. Then, upload it to your Web site.

Amy :)

billengle
Joomla! Intern
Joomla! Intern
Posts: 89
Joined: Thu Apr 30, 2009 6:21 pm
Contact:

Re: How to stop Joomla from stripping HTML tags from form input?

Post by billengle » Tue May 05, 2009 3:29 pm

Hi Amy,

Thanks for the response. I actually did try this but don't think it worked (at least for my custom component). Does this also work for custom components or just the articles? I will have to check again as it has been a few days. And yes, I agree that core hacks are probably not the best route.

Thanks.
AmyStephen wrote:In Joomla! 1.5.8 (I believe), a default was changed to enable input filtering for Articles. At that time, many people noticed HTML was stripped from input. This change was made for security purposes.

You can adjust text filtering to meet your needs. Here is a wiki entry explaining how to do that: http://docs.joomla.org/Why_does_some_HT ... n_1.5.8%3F

I cannot think of any examples with Joomla! 1.5 where I would recommend a core hack. It would be a good idea to force yourself to not do so - but instead use Google's Advanced Search - and enter joomla.org for the domain - to see if you can find better information. This filter change was also described in the release notes - so, I encourage reading those details when you upgrade.

Hopefully, you backed up the core file you changed. I recommend putting it back to it's delivered state. If you didn't back up the file, you can download a new copy of Joomla!, unzip the distribution into a temporary file, and recover the core file in that manner. Then, upload it to your Web site.

Amy :)

billengle
Joomla! Intern
Joomla! Intern
Posts: 89
Joined: Thu Apr 30, 2009 6:21 pm
Contact:

Re: How to stop Joomla from stripping HTML tags from form input?

Post by billengle » Tue May 05, 2009 3:48 pm

I performed the change for Article manager and it actually did save the html formatting for the Article. This did not have an affect on my custom component that uses JCE. It loses the html formatting.

AmyStephen
Joomla! Champion
Joomla! Champion
Posts: 7018
Joined: Wed Nov 22, 2006 3:35 pm
Location: Nebraska
Contact:

Re: How to stop Joomla from stripping HTML tags from form input?

Post by AmyStephen » Tue May 05, 2009 8:04 pm

Wager - look at how com_content Article model implements the filtering and make certain it does it the same way for your custom component. Also, remove JCE from the equation during testing to ensure it's not JCE filtering that is causing trouble.

billengle
Joomla! Intern
Joomla! Intern
Posts: 89
Joined: Thu Apr 30, 2009 6:21 pm
Contact:

Re: How to stop Joomla from stripping HTML tags from form input?

Post by billengle » Wed May 06, 2009 2:34 pm

Well I reviewed the code and I don't see where the option for stripping html is occurring.

AmyStephen
Joomla! Champion
Joomla! Champion
Posts: 7018
Joined: Wed Nov 22, 2006 3:35 pm
Location: Nebraska
Contact:

Re: How to stop Joomla from stripping HTML tags from form input?

Post by AmyStephen » Wed May 06, 2009 3:05 pm

Check out the code in administrator/components/com_content/models/article.php -- beginning with // Filter settings .

That should help you work with JFilterInput.

See if it makes sense but feel free to ask, of course, if you have questions.

Good luck!
Amy :)

billengle
Joomla! Intern
Joomla! Intern
Posts: 89
Joined: Thu Apr 30, 2009 6:21 pm
Contact:

Re: How to stop Joomla from stripping HTML tags from form input?

Post by billengle » Fri May 08, 2009 5:25 pm

Hi Amy,

Thanks again for your response. I am on 1.5.10 and did not see this file in the specified location. I see an element.php file but no filter settings section. I will look into JFilterInput to see if I can figure it out. Its all new to me.


Thanks.

billengle
Joomla! Intern
Joomla! Intern
Posts: 89
Joined: Thu Apr 30, 2009 6:21 pm
Contact:

Re: How to stop Joomla from stripping HTML tags from form input?

Post by billengle » Fri May 08, 2009 6:02 pm

Well I finally got it based on the below thread. I realized that when I was binding the post (see below bad code) I was actually pulling the original data instead of allowing html. I would recommend against the hack mentioned above as this is an easy and "secure" solution.

http://forum.joomla.org/viewtopic.php?f=474&t=398025

Good code.

Code: Select all

	$post = JRequest::get( 'post' );
$post['text'] = JRequest::getVar( 'text', '', 'post', 'string', JREQUEST_ALLOWHTML );
if (!$sgrow->bind( $post )) {
Bad code.

Code: Select all

	$post = JRequest::get( 'post' );
$post['text'] = JRequest::getVar( 'text', '', 'post', 'string', JREQUEST_ALLOWHTML );
if (!$sgrow->bind( JRequest::get( 'post' ) )) {

Vayner
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Sat May 09, 2009 12:32 pm

Re: How to stop Joomla from stripping HTML tags from form input?

Post by Vayner » Sat May 09, 2009 3:22 pm

So what is the solution for people who just upgraded, expecting to be able to post HTML in the HTML(!) editor?

No matter what code I post, all that is left in the end are the dividers.

billengle
Joomla! Intern
Joomla! Intern
Posts: 89
Joined: Thu Apr 30, 2009 6:21 pm
Contact:

Re: How to stop Joomla from stripping HTML tags from form input?

Post by billengle » Sat May 09, 2009 8:03 pm

Not sure. I'm using jce editor with 1.5.10. I didn't have a problem retrieving the data. It was not filtered. In my case it was only filtering when saving.

Vayner
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Sat May 09, 2009 12:32 pm

Re: How to stop Joomla from stripping HTML tags from form input?

Post by Vayner » Sun May 10, 2009 11:56 am

How is it possible that filtering is still happening even after I stripped all the tags from filterinput.php?
Is there a master off switch or something?

Thanks

- B

billengle
Joomla! Intern
Joomla! Intern
Posts: 89
Joined: Thu Apr 30, 2009 6:21 pm
Contact:

Re: How to stop Joomla from stripping HTML tags from form input?

Post by billengle » Sun May 10, 2009 3:25 pm

Don't use the hack stated by the OP. All I did was change article params to blacklist for all (see amy's post not sure if this was necessary) and then in my custom component I added the good code see above. No hack required.

AmyStephen
Joomla! Champion
Joomla! Champion
Posts: 7018
Joined: Wed Nov 22, 2006 3:35 pm
Location: Nebraska
Contact:

Re: How to stop Joomla from stripping HTML tags from form input?

Post by AmyStephen » Sun May 10, 2009 5:07 pm

I think we have two focuses in this thread -- each related to HTML tags, but the solutions are different depending on your focus.

First of all, I never recommend hacking core and still do not know of any situation where you would really have to do that.

If you are *using* Joomla! 1.5 and you want your articles to include HTML, but are finding the HTML stripped when you save the article, use this advice:
AmyStephen wrote:You can adjust text filtering to meet your needs. Here is a wiki entry explaining how to do that: http://docs.joomla.org/Why_does_some_HT ... n_1.5.8%3F
If you are creating a Custom Component, and want to use JFilterInput when you save your content, use this advice:
AmyStephen wrote:Check out the code in components/com_content/models/article.php -- beginning with // Filter settings .
@wager - Sorry I incorrectly had administrator/ in front of that location. Check the location, above.

If you are hacking the core, then you are probably not finding the intended solution which is typically a parameter setting.
Amy :)

Vayner
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Sat May 09, 2009 12:32 pm

Re: How to stop Joomla from stripping HTML tags from form input?

Post by Vayner » Sun May 10, 2009 9:23 pm

AmyStephen wrote: If you are *using* Joomla! 1.5 and you want your articles to include HTML, but are finding the HTML stripped when you save the article, use this advice:
AmyStephen wrote:You can adjust text filtering to meet your needs. Here is a wiki entry explaining how to do that: http://docs.joomla.org/Why_does_some_HT ... n_1.5.8%3F
Hi Amy,

That info page raises a few additional questions:

- It mentions these settings for user groups. So why are my (Super Administrator) tags being stripped?

- How do you turn whatever is messing with my posts off? If I post a Form in the html editor, all I'm left with is <div> </div>

Thank you

- Bjorn

AmyStephen
Joomla! Champion
Joomla! Champion
Posts: 7018
Joined: Wed Nov 22, 2006 3:35 pm
Location: Nebraska
Contact:

Re: How to stop Joomla from stripping HTML tags from form input?

Post by AmyStephen » Sun May 10, 2009 11:06 pm

Bjorn -

If I am not mistaken, Joomla! 1.5.10 addressed that issue. There should be NOT be any HTML filtering for Super Administrator if you are at the latest release.

I believe this was the patch to correct that:
http://joomlacode.org/gf/project/joomla ... m_id=14758

If you are not at the latest release (1.5.10 at this writing), then upgrade and that problem should be resolved.

Thanks!
Amy :)

Vayner
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Sat May 09, 2009 12:32 pm

Re: How to stop Joomla from stripping HTML tags from form input?

Post by Vayner » Mon May 11, 2009 11:21 am

I am on 1.5.10, I upgraded from 1.5.8 when the update came out.

Cheers

- Bjorn

AmyStephen
Joomla! Champion
Joomla! Champion
Posts: 7018
Joined: Wed Nov 22, 2006 3:35 pm
Location: Nebraska
Contact:

Re: How to stop Joomla from stripping HTML tags from form input?

Post by AmyStephen » Mon May 11, 2009 1:28 pm

Bjorn -

Have you used the instructions on this page? http://docs.joomla.org/Why_does_some_HT ... n_1.5.8%3F

If not, try those instructions and see if you can post your form.

Amy

Vayner
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Sat May 09, 2009 12:32 pm

Re: How to stop Joomla from stripping HTML tags from form input?

Post by Vayner » Mon May 11, 2009 4:23 pm

Hi Amy,

I did follow the instructions with no luck.
Not all tags are being removed, just some of them.

For example, posting this code works:

Code: Select all

<object width="800" height="540"><param name="allowfullscreen" value="true" /><param name="allowscriptaccess" value="always" /><param name="movie" value="http://vimeo.com/moogaloop.swf?clip_id=4566083&server=vimeo.com&show_title=1&show_byline=0&show_portrait=0&color=00ADEF&fullscreen=1" /><embed src="http://vimeo.com/moogaloop.swf?clip_id=4566083&server=vimeo.com&show_title=1&show_byline=0&show_portrait=0&color=00ADEF&fullscreen=1" type="application/x-shockwave-flash" allowfullscreen="true" allowscriptaccess="always" width="800" height="540"></embed></object><p><a href="http://vimeo.com/4566083">This one time...</a> from <a href="http://vimeo.com/user903988">nelson boles</a> on <a href="http://vimeo.com">Vimeo</a>.</p>
The following code which is just a button doesn't work:

Code: Select all

<form action='https://www.2checkout.com/2co/buyer/purchase' method='post'>
<div>
<input type='hidden' name='sid' value='1252191'>
<input type='hidden' name='quantity' value='1'>
<input type='hidden' name='product_id' value='19'>
<input name='submit' type='submit' value='Buy from 2CO' >
</div>
</form>
In fact, after posting that into the html editor - upon reopening the editor all that is left is:

Code: Select all

 <div>     </div> 

User avatar
dhuelsmann
Joomla! Master
Joomla! Master
Posts: 19659
Joined: Sun Oct 02, 2005 12:50 am
Location: Omaha, NE
Contact:

Re: How to stop Joomla from stripping HTML tags from form input?

Post by dhuelsmann » Mon May 11, 2009 4:34 pm

If you are using the tiny MCE Editor you may also want to adjust these settings in the plugin
Code Cleanup on Startup Off On
Code cleanup on save Never Front Only. Always
Do not clean HTML entities. Yes No
Regards, Dave
Past Treasurer Open Source Matters, Inc.
Past Global Moderator
http://www.kiwaniswest.org

AmyStephen
Joomla! Champion
Joomla! Champion
Posts: 7018
Joined: Wed Nov 22, 2006 3:35 pm
Location: Nebraska
Contact:

Re: How to stop Joomla from stripping HTML tags from form input?

Post by AmyStephen » Mon May 11, 2009 8:14 pm

Dave -

I added your additions to the bottom of that Wiki page - will you please review and see if it makes sense?

http://docs.joomla.org/Why_does_some_HT ... n_1.5.8%3F

Thanks!
Amy :)

User avatar
dhuelsmann
Joomla! Master
Joomla! Master
Posts: 19659
Joined: Sun Oct 02, 2005 12:50 am
Location: Omaha, NE
Contact:

Re: How to stop Joomla from stripping HTML tags from form input?

Post by dhuelsmann » Mon May 11, 2009 9:30 pm

Works for me
Regards, Dave
Past Treasurer Open Source Matters, Inc.
Past Global Moderator
http://www.kiwaniswest.org

User avatar
Empowermom
Joomla! Apprentice
Joomla! Apprentice
Posts: 29
Joined: Sun Mar 16, 2008 12:47 pm
Location: Chickamauga, GA
Contact:

Re: How to stop Joomla from stripping HTML tags from form input?

Post by Empowermom » Mon May 11, 2009 9:57 pm

May also want to check:

JOOMLA ARTICLE PARAMETERS-> FILTERS:

You MUST have at least TWO people whitelisted. Since I'm currently working offline on a new site and I'm the only user, I created a second logon for myself and now I am two SuperAdmins. Next, I Blacklisted everyone EXCEPT the Admins and SuperAdmins (that's both of Me). :eek:

Also, DO NOT include any filters or tags when you do this.
Joomla! Don't design without it.

Vayner
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Sat May 09, 2009 12:32 pm

Re: How to stop Joomla from stripping HTML tags from form input?

Post by Vayner » Tue May 12, 2009 11:21 am

dhuelsmann wrote:If you are using the tiny MCE Editor you may also want to adjust these settings in the plugin
Code Cleanup on Startup Off On
Code cleanup on save Never Front Only. Always
Do not clean HTML entities. Yes No
Excellent!
Code cleanup on save was set to Always. I set it to Never.
Now I can post the button code.

Its not an accurate function description though. This fixes the code cleanup I got when updating the HTML editor. I didn't realize that counts as "save".

Anyway, thank you Dhuelsmann and Amy!

- Bjorn

matthewham
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Thu May 21, 2009 1:24 am

Re: How to stop Joomla from stripping HTML tags from form input?

Post by matthewham » Thu May 21, 2009 1:37 am

Hi There,

I have encountered the same HTML tag stripping issue in Joomla 1.5.10, but my efforts to fix it by the altering the text filtering in the Article Manager Parameters - the method recommended above (and in other forums) - has been frustrated by the fact that the Global Configurations panel that comes up when I click on Parameters in the Article Manater toolbar only extends as far as the following radio button optiony:

For each feed item show Intro Text Full Text

It does not continue to include the expected Filtering Options section where I can change the blacklist / whitelist settings. Any ideas as to why this is. I am completely stumped.

Thanks in advance,

Matt


Locked

Return to “Extensions for Joomla! 1.5”