blog documentation FAQ followers forum marketplace services youtube

solved (Allow HTML ) TAGS

The Jamroom Network » Forum » Using Jamroom » Page » (Allow HTML ) TAGS
izhmel
@izhmel
10 years ago
1,354 posts
I am trying to add these code to a blog and after you save the blog all the codes gets deleted .


Allow HTML

function,scr,async,script,iframe,pre,block,img,br,b,i,p,u,a,center,hr,span,strong,em,object,param,embed,div,ul,ol,li,
font,iframe,scr,span,strong,em,a,b,u,i,p,div,br,img,h1,h2,h3,h4,pre,hr,ul,ol,li,iframe,frameset,frameborder,scr,frame,scr


code.jpg
code.jpg  •  69KB




--
The Scientist
dubmusic.com
Thanks for any assistance.
updated by @izhmel: 07/25/15 12:50:18PM
douglas
@douglas
10 years ago
2,806 posts
The code your trying to add is not HTML, it is javascript and it is not a good idea to allow your users to embed javascript. If you really need to use it, you can try adding script to your allowed HTML field, but I would not recommend it.


--

Douglas Hackney
Jamroom Team - Designer/Developer/Support
FAQ-Docs-Help Videos
izhmel
@izhmel
10 years ago
1,354 posts
I added (script) if you look you will see it above in allowed HTML and it don't work


--
The Scientist
dubmusic.com
Thanks for any assistance.
updated by @izhmel: 06/16/15 07:48:59AM
douglas
@douglas
10 years ago
2,806 posts
Is there a reason you need javascript in a blog post?

Or are you trying to show the code itself in a blog post?

If so, are you using the text editor?


--

Douglas Hackney
Jamroom Team - Designer/Developer/Support
FAQ-Docs-Help Videos
izhmel
@izhmel
10 years ago
1,354 posts
its a Google search bar


--
The Scientist
dubmusic.com
Thanks for any assistance.
douglas
@douglas
10 years ago
2,806 posts
I really don't recommend doing this, but you could try adding the gcse:search tag to your allowed HTML and see if that fixes it.


--

Douglas Hackney
Jamroom Team - Designer/Developer/Support
FAQ-Docs-Help Videos
izhmel
@izhmel
10 years ago
1,354 posts
it don't work


--
The Scientist
dubmusic.com
Thanks for any assistance.
michael
@michael
10 years ago
7,814 posts
I've located the source of the issue and its the HTML purifier. It requires an additional setting:
$config->set('HTML.Trusted', true);

to say that the incoming script is from a trusted source for it to let 'script' through. I'm not sure that's something we want to add in to the core system as the input is coming from users.

The site admin could always add any script they want to the templates and have it work, but this is from users.

Here's where the solution was found:
http://stackoverflow.com/questions/4135755/how-do-i-allow-script-object-param-embed-and-iframe-tags-in-htmlpurifier

need to check with the others to see if we will add this in. You need to understand that dangers are involved.
http://stackoverflow.com/questions/28857774/is-it-dangerous-to-allow-users-to-add-javascript-code-in-a-page-thats-supposed
Quote: Is it dangerous to allow users to add javascript code in a page...?
Quote: If they are entering JavaScript code which you will then store and include when showing a page to other users, then yes, it's a security hole. It means that they can do anything you can do on that page, in the context of someone else's user account; this could be used to steal information from other users, etc....
izhmel
@izhmel
10 years ago
1,354 posts
is Google search bar cannot be trusted or can cause harm ?

where do I add ($config->set('HTML.Trusted', true);)


--
The Scientist
dubmusic.com
Thanks for any assistance.
douglas
@douglas
10 years ago
2,806 posts
Can the search bar script go in the template the blog is located at?

In other words, can it be put in a template instead of trying to embed it?


--

Douglas Hackney
Jamroom Team - Designer/Developer/Support
FAQ-Docs-Help Videos
izhmel
@izhmel
10 years ago
1,354 posts
Douglas, I am not sure ....

where do I add ($config->set('HTML.Trusted', true);)


--
The Scientist
dubmusic.com
Thanks for any assistance.
michael
@michael
10 years ago
7,814 posts
Its not allowed. Its a security risk. If you want to build a module to do it you can. Suggest calling it "xxAllowHackers" as that's what your trying to do.

Here's the code to put in your include.php file if you want to build that module.
<?php
/**
 * @copyright nobody
 */

// make sure we are not being called directly
defined('APP_DIR') or exit();

/**
 * meta
 */
function xxAllowHackers_meta(){
    $_tmp = array(
        'name'        => 'Allow Hackers',
        'url'         => 'allowhackers',
        'version'     => '1.0.0',
        'developer'   => 'nobody',
        'description' => 'DANGER: This module makes it possible for users to add script to html input locations.',
        'category'    => 'site',
        'license'     => 'mpl'
    );
    return $_tmp;
}

/**
 * init
 */
function xxAllowHackers_init(){
    jrCore_register_event_listener('jrCore', 'html_purifier', 'xxAllowHackers_html_purifier_listener');
    return true;
}

function xxAllowHackers_html_purifier_listener($_data,$_user,$_conf,$_args,$event)
{
    if (jrCore_module_is_active('xxAllowHackers')) {
        $_data->set('HTML.Trusted', true);
    }
    return $_data;
}

Its not a good idea. Put the script into the templates.
izhmel
@izhmel
10 years ago
1,354 posts
Michael, so a Google search bar is a security risk , an can you give an example of what could happen ?

(1)I am planning to put it on a quota I alone have access to , and not on the members quota, will that help stop the risk..

(2) Do I put the entire code in the ( include.php)

(3)where is ( include.php) ? or can you send an include.php with the code in it ?

Thanks in advance


--
The Scientist
dubmusic.com
Thanks for any assistance.
douglas
@douglas
10 years ago
2,806 posts
Can you give me a link to where you want the Google search?

That might help determine what template the code could go in.


--

Douglas Hackney
Jamroom Team - Designer/Developer/Support
FAQ-Docs-Help Videos

Tags