You are reading the Drake CMS Official Forums archive, available for historical purposes only.
Drake CMS has been rebranded into Lanius CMS, visit the new Lanius CMS Official Forums if you need support about Lanius CMS or Drake CMS -> Lanius CMS migration.
Hi, I'm having problems with tinyMCe striping out my HTML pasted
code from Dreamweaver -since the 0.3.3 and 0.3.2 Beta releases.
Basically stuff like height and width attributes to images,
links, inline styles and onmouseover events are being removed.
I've checked with the init for tinyMCE and all these tags should
be allowed on the code cleanup so I don't understand why they're
disappearing. The interesting thing is, when I tried a backup of
the 0.2.5 Alpha of my test site, the HTML code stays intact - no
tag removal. I've patched in the latest version of tinyMCE
(2.1.0) and set that up allow the tags I need but that didn't
help either. Any Ideas what's gone wrong - I read somewhere that
changes have been made to the XHTML.php but at that point my
powers of php understanding reach their limit! I should mention
that I've not tinkered with the default installation of tinyMCE
so I'm sure I haven't broken anything there.
Would
appreciate any thoughts...
legolas558
Re:tinyMCE eating HTML code
19 February 2007 00:20
Anonymous
Before all thank you for your interest in solving the problem.
We already have a bug tracker about the KSES
tags filtering applied in Drake CMS, however I really can't
understand why in v0.2.5 some tags/attributes were not filtered
while now they are, but I must confirm the problem as I
experienced it too.
There is already tinyMCE2 and and
the latest FCKeditor in the SVN repository, but I haven't tested
if the problem happens with both of them. If it does, then
it is a tags filtering issue. If you did not experience it with
the older backups may be because they were edited in the backend?
It is the only (weak) possibility to explain this weirdness.
Anyway, xhtml.php needs to contain the valid
tags/attributes. If you give a look to it you will see that how
easy is to add them; once I will fix it, we will be able to
understand if the problem is really there (I bet it is) or
elsewhere.
If you can provide me a list of what it
eats I will fix xhtml.php accordingly
Thanks
again
legolas558
Re:tinyMCE eating HTML code
19 February 2007 00:21
Anonymous
I forgot to say: I would like to include the widest range of
(secure) tags/attributes, possibly all those used by tinyMCE &
friends, so that the user can really get the best from WYSIWYG
editing.
TheRenderMan
Re:tinyMCE eating HTML code
19 February 2007 23:22
Anonymous
OK now I think I understand - it was broken somewhere before the
0.3 betas (allowing all code through unfiltered) and now the KSES
tag filtering is working because when I add extra tags and
attributes to XHTML.php they stay in the HTML code and are not
eddied out when saving the page.
This seems like a
giant task to enter all the secure tags and allowable attribute
ranges to this file! Please explain to and ignorant person (me)
why this is done when tinyMCE does this kind of filtering as
well. Standards compliance / security?
Thanks for your
help on this......
legolas558
Re:tinyMCE eating HTML code
20 February 2007 07:24
Anonymous
TheRenderMan wrote: Quote:
OK now I think I
understand - it was broken somewhere before the 0.3 betas
(allowing all code through unfiltered) and now the KSES tag
filtering is working because when I add extra tags and attributes
to XHTML.php they stay in the HTML code and are not eddied out
when saving the page.
Yes previously it was not
filtered at the admin backend (so it was not really a security
issue).
Quote:
This seems like a giant task to enter all the secure tags and
allowable attribute ranges to this file! Please explain to and
ignorant person (me) why this is done when tinyMCE does this kind
of filtering as well. Standards compliance / security?
Thanks for your help on this......
tinyMCE
does client-side validation, but think about someone that has
disabled javascript or that is forging POST requests: he could
easily submit forbidden tags (for example, <script> or
<object> ) and perform XSS attacks. That's why in Drake CMS
we have fully implemented server-side validation of all
variables, and that's why we expect near-zero security reports if
compared to the old CMS
Of course the problem has to be solved, see this tracker item, I just
hope we can fix it before the next release.
TheRenderMan
Re:tinyMCE eating HTML code
09 March 2007 21:04
Anonymous
I've pretty much got a handle on editing the xhtml.php now and
have that working well. (have just amalgamated my changes with
the new 'official' version in beta 0.3.6.
I now have a
problem with code being 'added to' when pages are being
parsed.
is now being converted into this: <a href="#"
onmouseover="MM_swapImage(''corporate_large_01'','''',''images/images/corporate/corporate_0008.jpg'' ,0)"><img id="corporate_02" longdesc="Corporate 02"
src="images/images/corporate/corporate_0008_rollover.jpg"
border="0" alt="Corporate 02" width="104" height="74"
/></a>
Notice the additional ' (apostrophes)
being added which obviously breaks the script.
This is
not happening with the TinyMCE editor but just parsing the page -
something to do this the new Anyxml parsing? The MM_swapImage was
working in 0.3.5 and older.
Also - what's happen
to the Page Navigation Drabot, which is missing from the drabots
folder in 0.3.6!!! Gives a 'drapagenav drabot not found error on
the front end.
Oh and sorry for starting a new thread
elsewhere on the forum
TheRenderMan
Re:tinyMCE eating HTML code
09 March 2007 21:55
Anonymous
OK update to my last post.
I've just reinserted the
html using the latest TinyMCE2 (from the SVN) and the
MM_swapImage is now working - no added or duplicated apostrophes
to the script.
Actually I don't think the version of
TinyMCE2 has anything to do with it - it may have been something
to do with the database backup and restore (from 0.3.5) I did to
populate a clean install of beta 0.3.6 - it was after that the
script was corrupted.
Not sure... any ideas?
legolas558
Re:tinyMCE eating HTML code
13 March 2007 16:44
Anonymous
TheRenderMan wrote: Quote:
OK update to my last
post.
I've just reinserted the html using the latest
TinyMCE2 (from the SVN) and the MM_swapImage is now working - no
added or duplicated apostrophes to the script.
Actually I don't think the version of TinyMCE2 has anything to
do with it - it may have been something to do with the database
backup and restore (from 0.3.5) I did to populate a clean install
of beta 0.3.6 - it was after that the script was corrupted.
Not sure... any ideas?
You are right,
the database has been messed up sometime in previous restores due
to a bug in database backup version recognition (my bad ), I am going to
"hotfix" the bug in the next release's database update.
legolas558
Re:tinyMCE eating HTML code
13 March 2007 16:50
Anonymous
TheRenderMan wrote: Quote:
I've pretty much got
a handle on editing the xhtml.php now and have that working well.
(have just amalgamated my changes with the new 'official' version
in beta 0.3.6.
I'd like to integrate your
changes in the next release, if you agree. Do you have a snippet
of that file?
legolas558
Re:tinyMCE eating HTML code
13 March 2007 17:09
Anonymous
TheRenderMan wrote: Quote:
...
Notice
the additional ' (apostrophes) being added which obviously breaks
the script.
This is not happening with the TinyMCE
editor but just parsing the page - something to do this the new
Anyxml parsing? The MM_swapImage was working in 0.3.5 and
older.
It is because of a bug (now fixed) in database
restoring
Quote:
Also
- what's happen to the Page Navigation Drabot, which is missing
from the drabots folder in 0.3.6!!! Gives a 'drapagenav drabot
not found error on the front end.
that drabot
was killed ages ago, the next update will fix the drabot not
found error
Quote:
Oh and sorry for starting a new thread elsewhere on
the forum
No problem, there's a sort of anarchy here at the
forums...but when the cops will come, no more chaos!
TheRenderMan
Re:tinyMCE eating HTML code
14 March 2007 00:24
Anonymous
legolas558 wrote: Quote:
I'd like to integrate
your changes in the next release, if you agree. Do you have a
snippet of that file?
Ok, this is what's working for me
at the moment. Some of the values may look a bit extreme but
layout tables may reach 800px in width so I covered my bases with
1000px! (Of-course I'd rather use divs but that's a whole other
world of hurt.)
Some tags are depreciated as well -
but still useful I guess.
), I am going to
"hotfix" the bug in the next release's database update.