ethanj

Has anyone successfully allowed script tags in the HTMLEditorField? This is what we've done with our attempt, all tags but the script one work

  1. TinyMCEConfig::get('cms')
  2. ->addButtonsToLine(1, 'styleselect')
  3. ->setOption('importcss_append', true)
  4. ->setOption(
  5. 'extended_valid_elements',
  6. 'iframe[src|name|width|height|title|align|allowfullscreen|frameborder|marginwidth|marginheight|scrolling],' .
  7. 'table[stroke|color],' .
  8. 'script[src|async|defer|type|charset],' .
  9. 'div'
  10. );
Scopey

Browsers get pretty smart these days about disallowing XSS. I'm guessing either your browser or SS is doing something to prevent that.

Nik

I dug into this and it is definitely happening client side. The configuration ends up with TinyMCE (tinymce.activeEdtior.extended_valid_elements is correct), but the POST request to update the page already has the tag stripped. Where is this client-side magic coming from?!

ethanj

What are you doing when you get that error? It looks unrelated to the restful portion and more like an problem with the blog module maybe?

ethanj

Oo looks like another module is setting spam protection and overriding mine. No to figure out which one and why. Update, silverstripe/recipe-blog pulls in silverstripe/akismet which also sets default_spam_protection.

ethanj

Can anyone think of a reason why setting my default spam protection in my yml wouldn't be getting applied? trying to use nocaptcha on ss4.4

ethanj

@Jason Hale is that when submitting a user form? If so I came across this the other day too and I made a PR for the fix that worked for me. https://github.com/silverstripe/silverstripe-userforms/pull/913

Jason Hale

Thanks, will give this a shot. It was during submission.

ethanj

We're needing to do a migration of the ss3 version of elemental to ss4 is there a task to help with this currently? If not does anyone have any tips for this?