How to allow [embed,object,iframe,div] tags through htmlawed?
[Elgg version: 1.8.19]
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by Raül Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
- whoawhoamagictime@perpetyouall
whoawhoamagictime - 0 likes
- Paweł Sroka@srokap
Paweł Sroka - 0 likes
- whoawhoamagictime@perpetyouall
whoawhoamagictime - 0 likes
$htmlawed_config = array( // seems to handle about everything we need. 'safe' => true,
- iionly@iionly
iionly - 0 likes
- whoawhoamagictime@perpetyouall
whoawhoamagictime - 0 likes
- whoawhoamagictime@perpetyouall
whoawhoamagictime - 0 likes
- whoawhoamagictime@perpetyouall
whoawhoamagictime - 0 likes
You must log in to post replies.Or maybe to just filter everything out but html and css.
Any advice?
Assuming that you are sure you'll not create XSS vulnerability, you can change htmlawed config on config htmlawed plugin hook and read the section 3.3 of htmlawed documentation.
At this point I don't think that will be an issue. I'm new at this but I made a copy of the plugin with a different manifest, start.php and name but received the fatal error below after I flushed the cache, with the new plugin enabled. I figured making a replacement plugin would be an appropriate solution so that it hopefully wouldn't interfere with a future version upgrade. I disabled the original htmlawed and the new one until I finished the edit then reactivated the edited plugin. The change I attempted to make was based on the documentation that appeared to state that by switching safe mode to false it would allow my desired tags.
With $config["safe"] = 1, the default set will exclude applet, embed, iframe, object and script; see section 3.6.
Fatal Error. Redirect could not be issued due to headers already being sent. Halting execution for security. Output started in file /home/mysite/public_html/elgg/mod/my_htmlawed/start.php at line 1. Search http://docs.elgg.org/ for more information. SecurityException Object ( [message:protected] => Redirect could not be issued due to headers already being sent. Halting execution for security. Output started in file /home/mysite/public_html/elgg/mod/my_htmlawed/start.php at line 1. Search http://docs.elgg.org/ for more information. [string:Exception:private] => exception 'SecurityException' with message 'Redirect could not be issued due to headers already being sent. Halting execution for security. Output started in file /home/mysite/public_html/elgg/mod/my_htmlawed/start.php at line 1. Search http://docs.elgg.org/ for more information.' in /home/mysite/public_html/elgg/engine/lib/elgglib.php:159 Stack trace: #0 /home/mysite/public_html/elgg/actions/admin/site/flush_cache.php(10): forward(-1) #1 /home/mysite/public_html/elgg/engine/lib/actions.php(97): include('/home/mysite/...') #2 /home/mysite/public_html/elgg/engine/handlers/action_handler.php(20): action('admin/site/flus...') #3 {main} [code:protected] => 0 [file:protected] => /home/mysite/public_html/elgg/engine/lib/elgglib.php [line:protected] => 159 [trace:Exception:private] => Array ( [0] => Array ( [file] => /home/mysite/public_html/elgg/actions/admin/site/flush_cache.php [line] => 10 [function] => forward [args] => Array ( [0] => -1 ) ) [1] => Array ( [file] => /home/mysite/public_html/elgg/engine/lib/actions.php [line] => 97 [args] => Array ( [0] => /home/mysite/public_html/elgg/actions/admin/site/flush_cache.php ) [function] => include ) [2] => Array ( [file] => /home/mysite/public_html/elgg/engine/handlers/action_handler.php [line] => 20 [function] => action [args] => Array ( [0] => admin/site/flush_cache ) ) ) [previous:Exception:private] => )
My guess is that you might have saved the modified files of your htmlawed duplicate with a wrong encoding. If you saved the files with BOM characters this would explain the error. You need to save the files in "UTF-8 without BOM" encoding.
But it's not at all necessary to create your own custom htmlawed plugin. The htmlawed plugin has two plugin hooks that allow for providing a custom array of allowed styles and/or a custom config. You only need to create your own little plugin with the following start.php:
If you only want to change the config or the allowed styles respectively, you only need to include the corresponding plugin hook handler but not the other. What you need to define on your own is the content of the $allowed_styles and/or $config arrays within the callback functions. To complete this plugin your need to add a suitable manifest.xml file and it should work without the need to modify the original htmlawed plugin and you still have your own config.
It's possible I used the wrong encoding but I've used a similar method before when doing minor editing with other plugins and I didn't have issues like this.
myconfig:
When I activated the plugin it gave me a white screen until I removed it then this error came up:
Here is my start.php:
I tried to set it to use the default config and styles to see if it would work but alas not yet. Should I not have done that?
Suggestions?
I'm not sure why but a clean install might have fixed my issue. I'll check back.
I believe it works now. Thank you for the help!