TinyMCE and HTML Tags strip before save article

This forum is for reporting bugs in Joomla!. Please don't report problems with extensions in here.
Locked
pcollet
Joomla! Apprentice
Joomla! Apprentice
Posts: 30
Joined: Wed Nov 30, 2005 11:07 pm

TinyMCE and HTML Tags strip before save article

Post by pcollet » Tue Apr 21, 2009 10:46 pm

Hi,

I'm using tinymce to edit article on the frontend.
I need to add a link with a popup (<a href="..." onclick=".....">)
For devil reason, when i save the article, the onclick function is stripped out.

Is someone know which file make the analysis of the content of article before saving it ?

ans especially is it done in javascript file or php file (it seems it is in a php file but I don't knwo which one and in whiche function)

Regards.
And thank for any help

User avatar
airton
Joomla! Ace
Joomla! Ace
Posts: 1368
Joined: Sun Nov 04, 2007 1:12 am
Location: Brazil
Contact:

Re: TinyMCE and HTML Tags strip before save article

Post by airton » Wed Apr 22, 2009 12:06 am

pcollet wrote:Hi,

I'm using tinymce to edit article on the frontend.
I need to add a link with a popup (<a href="..." onclick=".....">)
For devil reason, when i save the article, the onclick function is stripped out.

Is someone know which file make the analysis of the content of article before saving it ?

ans especially is it done in javascript file or php file (it seems it is in a php file but I don't knwo which one and in whiche function)

Regards.
And thank for any help
Since a few releases ago, Joomla! has a content filtering feature that blacklists (by default) some html tags and attributes, but you can set it to suit your needs.

In the back-end, go to Contents --> Article Manager then click on the "Parameters" button in the toolbar. Scroll all the way down and you'll find the "Filtering Options".

To set it so the super-admin can enter whatever tags and attributes he/she wants, you have select Super Administrator in the "Group Options", then choose "whitelist" for the "Filter Type".

You can work out what options are best for your site. You can white list every user (choose Public Frontend in the group) or narrow it down as needed. You can also extend the blacklisted tags/attributes by filling the desired ones in the "Filter Tags" and "Filter Attributes" fields.

Hope this helps,
Airton Torres
Joomla Bug Squad http://groups.google.com/group/joomlabugsquad
Community website - http://community.joomla.org
Unsolicited support PMs will be deleted and the user added to the foes list.

pcollet
Joomla! Apprentice
Joomla! Apprentice
Posts: 30
Joined: Wed Nov 30, 2005 11:07 pm

Re: TinyMCE and HTML Tags strip before save article

Post by pcollet » Wed Apr 22, 2009 9:17 am

Thanks for your reply.

If i want to allow 'onclick' attributes inside a href. What should I do ?

I've tried to select all user, add tags "ref", add attributes "onclick", and select whitelist.

But now, all html are stripped out (Only text is stayed).

I'm not sure it is at this step the "onclick" is filtered out. do you know which php file manage this contente filtering. I want to check directly inside the code if the "onclick" is not filter before.

(I havenot the problem on a standard site, but i have it on a website that use a lot of symbolic link. So I want to look where is my problem and where does it come from).

Regards

pcollet
Joomla! Apprentice
Joomla! Apprentice
Posts: 30
Joined: Wed Nov 30, 2005 11:07 pm

Re: TinyMCE and HTML Tags strip before save article

Post by pcollet » Wed Apr 22, 2009 8:36 pm

My problem was solved (not the good way but it works).

Issue :

When I use the button "edit/insert link" of TinyMCE on front-end to create a popup, it generates html tag href with a onclick event. This event are stripped out when the article is stored in database.

The "problem" comes from the file filterinput.php (Joomla/libraries/filter) (function __cleanAttributes that automatically strip out any attributes beginning by "on".

Temporary solution :

I suppress in filterinput.php the condition for this removal.

I don't if it is good for security reasons but I think we should have a regular solution for that problem to fit with tinyMCE that allow popup creation.

User avatar
airton
Joomla! Ace
Joomla! Ace
Posts: 1368
Joined: Sun Nov 04, 2007 1:12 am
Location: Brazil
Contact:

Re: TinyMCE and HTML Tags strip before save article

Post by airton » Thu Apr 23, 2009 12:00 am

Hello again,

Did you try to disable the code cleanup in the Editor - TinyMCE 2.0 plugin?

Go to Extensions --> Plugin Manager and edit the "Editor - TinyMCE 2.0" plugin. Then change the "Code Cleanup on Save" option to "Never" or "Front Only" and/or the "Do Not Cleanup HTML Entities" option to "Yes", then save.

Regards,
Airton Torres
Joomla Bug Squad http://groups.google.com/group/joomlabugsquad
Community website - http://community.joomla.org
Unsolicited support PMs will be deleted and the user added to the foes list.

pcollet
Joomla! Apprentice
Joomla! Apprentice
Posts: 30
Joined: Wed Nov 30, 2005 11:07 pm

Re: TinyMCE and HTML Tags strip before save article

Post by pcollet » Thu Apr 23, 2009 9:36 pm

Hi,

It is great to have a guru that follow my issue (thanks for that).

I do no change default parameter of tinymce plugin.
To my mind, the plugin is not involved in my issu as when i trace some var in debug mode, i found that the whole conten with onclicj event is well received by the server (var_dump($data)).

I have opened the bug tracker #16110.

To my mind the issue comes from the conditional test in cleanattribtutes
function in Jfilterinput and especially the last part that block any event 'onclick, onblur'.

"if ((!preg_match('/[a-z]*$/i', $attrSubSet[0])) || (($this->xssAuto)
&& ((in_array(strtolower($attrSubSet[0]), $this->attrBlacklist)) ||
(substr($attrSubSet[0], 0, 2) == 'on')))) "

User avatar
airton
Joomla! Ace
Joomla! Ace
Posts: 1368
Joined: Sun Nov 04, 2007 1:12 am
Location: Brazil
Contact:

Re: TinyMCE and HTML Tags strip before save article

Post by airton » Thu Apr 23, 2009 9:48 pm

Hi,

Your issue is being taken care by the JBS.

We'll soon have a final status on that.

Regards,
Airton Torres
Joomla Bug Squad http://groups.google.com/group/joomlabugsquad
Community website - http://community.joomla.org
Unsolicited support PMs will be deleted and the user added to the foes list.

User avatar
Shinteetah
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Thu Jun 05, 2008 6:26 pm

Re: TinyMCE and HTML Tags strip before save article

Post by Shinteetah » Tue Jun 16, 2009 7:13 am

airton wrote:Go to Extensions --> Plugin Manager and edit the "Editor - TinyMCE 2.0" plugin. Then change the "Code Cleanup on Save" option to "Never" or "Front Only" and/or the "Do Not Cleanup HTML Entities" option to "Yes", then save.
Thank you! This helped with an issue for me. :)

ewrwerwer
Joomla! Apprentice
Joomla! Apprentice
Posts: 28
Joined: Wed Jul 08, 2009 1:38 pm

Re: TinyMCE and HTML Tags strip before save article

Post by ewrwerwer » Wed Aug 26, 2009 11:39 am

airton wrote: Since a few releases ago, Joomla! has a content filtering feature that blacklists (by default) some html tags and attributes, but you can set it to suit your needs.

In the back-end, go to Contents --> Article Manager then click on the "Parameters" button in the toolbar. Scroll all the way down and you'll find the "Filtering Options".

To set it so the super-admin can enter whatever tags and attributes he/she wants, you have select Super Administrator in the "Group Options", then choose "whitelist" for the "Filter Type".

You can work out what options are best for your site. You can white list every user (choose Public Frontend in the group) or narrow it down as needed. You can also extend the blacklisted tags/attributes by filling the desired ones in the "Filter Tags" and "Filter Attributes" fields.

Hope this helps,
Does this apply to modules or just articles?

User avatar
airton
Joomla! Ace
Joomla! Ace
Posts: 1368
Joined: Sun Nov 04, 2007 1:12 am
Location: Brazil
Contact:

Re: TinyMCE and HTML Tags strip before save article

Post by airton » Wed Aug 26, 2009 12:01 pm

Hi ewrwerwer,

This goes only for articles. There are no filtering options for modules, although the editor itself - if used - may have some code cleanup settings that might strip some html tags and attributes.
Airton Torres
Joomla Bug Squad http://groups.google.com/group/joomlabugsquad
Community website - http://community.joomla.org
Unsolicited support PMs will be deleted and the user added to the foes list.

ewrwerwer
Joomla! Apprentice
Joomla! Apprentice
Posts: 28
Joined: Wed Jul 08, 2009 1:38 pm

Re: TinyMCE and HTML Tags strip before save article

Post by ewrwerwer » Wed Aug 26, 2009 12:16 pm

Thanks for the reply Airton!

Do you have any idea where (or what) the best place (or code) to search for might be? The edit form of the module in question does not appear to lead to anything that would strip out HTML yet is does so! I simply don't know where to look :(

User avatar
airton
Joomla! Ace
Joomla! Ace
Posts: 1368
Joined: Sun Nov 04, 2007 1:12 am
Location: Brazil
Contact:

Re: TinyMCE and HTML Tags strip before save article

Post by airton » Wed Aug 26, 2009 12:30 pm

ewrwerwer wrote:Thanks for the reply Airton!

Do you have any idea where (or what) the best place (or code) to search for might be? The edit form of the module in question does not appear to lead to anything that would strip out HTML yet is does so! I simply don't know where to look :(
Sorry, it's hard to tell without looking at the module's code, because it could be the module itself doing the cleanup, or it could be using the core methods, or both.
Airton Torres
Joomla Bug Squad http://groups.google.com/group/joomlabugsquad
Community website - http://community.joomla.org
Unsolicited support PMs will be deleted and the user added to the foes list.

ewrwerwer
Joomla! Apprentice
Joomla! Apprentice
Posts: 28
Joined: Wed Jul 08, 2009 1:38 pm

Re: TinyMCE and HTML Tags strip before save article

Post by ewrwerwer » Wed Aug 26, 2009 1:14 pm

Thanks so much. I don't think it's the module. Can I just ask where I'd look for the core method?

inyong
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Mon Nov 14, 2011 4:00 am
Contact:

Re: TinyMCE and HTML Tags strip before save article

Post by inyong » Mon Nov 14, 2011 4:28 am

airton wrote:
pcollet wrote:Hi,

I'm using tinymce to edit article on the frontend.
I need to add a link with a popup (<a href="..." onclick=".....">)
For devil reason, when i save the article, the onclick function is stripped out.

Is someone know which file make the analysis of the content of article before saving it ?

ans especially is it done in javascript file or php file (it seems it is in a php file but I don't knwo which one and in whiche function)

Regards.
And thank for any help
Since a few releases ago, Joomla! has a content filtering feature that blacklists (by default) some html tags and attributes, but you can set it to suit your needs.

In the back-end, go to Contents --> Article Manager then click on the "Parameters" button in the toolbar. Scroll all the way down and you'll find the "Filtering Options".

To set it so the super-admin can enter whatever tags and attributes he/she wants, you have select Super Administrator in the "Group Options", then choose "whitelist" for the "Filter Type".

You can work out what options are best for your site. You can white list every user (choose Public Frontend in the group) or narrow it down as needed. You can also extend the blacklisted tags/attributes by filling the desired ones in the "Filter Tags" and "Filter Attributes" fields.

Hope this helps,
Thanks, my problem solved by this. :)

dchktester
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Fri Feb 03, 2012 5:08 am

Re: TinyMCE and HTML Tags strip before save article

Post by dchktester » Fri Feb 03, 2012 5:25 am

airton wrote:
pcollet wrote:Hi,

I'm using tinymce to edit article on the frontend.
I need to add a link with a popup (<a href="..." onclick=".....">)
For devil reason, when i save the article, the onclick function is stripped out.

Is someone know which file make the analysis of the content of article before saving it ?

ans especially is it done in javascript file or php file (it seems it is in a php file but I don't knwo which one and in whiche function)

Regards.
And thank for any help
Since a few releases ago, Joomla! has a content filtering feature that blacklists (by default) some html tags and attributes, but you can set it to suit your needs.

In the back-end, go to Contents --> Article Manager then click on the "Parameters" button in the toolbar. Scroll all the way down and you'll find the "Filtering Options".

To set it so the super-admin can enter whatever tags and attributes he/she wants, you have select Super Administrator in the "Group Options", then choose "whitelist" for the "Filter Type".

You can work out what options are best for your site. You can white list every user (choose Public Frontend in the group) or narrow it down as needed. You can also extend the blacklisted tags/attributes by filling the desired ones in the "Filter Tags" and "Filter Attributes" fields.

Hope this helps,
It works for only admin user and super admin user,,,but manager user=.=,,,
what can i do?

status360
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Fri Mar 30, 2012 10:53 pm

Re: TinyMCE and HTML Tags strip before save article

Post by status360 » Fri Mar 30, 2012 10:55 pm

I have no filtering set on Super User on Joomla! version 2.5.3 my tags are still being stripped?!?

:'( :(

harshal53
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Wed Apr 25, 2012 2:17 pm
Location: indore,india

Re: TinyMCE and HTML Tags strip before save article

Post by harshal53 » Fri Apr 27, 2012 1:26 pm

i have the problem to show data on front end of content table but there is HTML tags come with the data..plz give me solution.

i find out the function str_ireplace(),but it also didnt work..

harshal53
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Wed Apr 25, 2012 2:17 pm
Location: indore,india

Re: TinyMCE and HTML Tags strip before save article

Post by harshal53 » Fri Apr 27, 2012 2:03 pm

hey...!! i solve the problem of showing data with HTML tags on front end....use the strip_tag($var),$var="the variable in which the data store with HTML tags"...

thanks to my seniors

harshal53
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Wed Apr 25, 2012 2:17 pm
Location: indore,india

Re: TinyMCE and HTML Tags strip before save article

Post by harshal53 » Fri Apr 27, 2012 2:11 pm

htmlspecialchars — Convert special characters to HTML entities

Certain characters have special significance in HTML, and should be represented by HTML entities if they are to preserve their meanings. This function returns a string with these conversions made. If you require all HTML character entities to be translated, use htmlentities() instead.


this will surely work for vice versa of my problem... :eek:


Locked

Return to “Joomla! 1.5 Bug Reporting”