how to disable HTMLawed for admins only

i looked through the site's old post and some fixes didn't work. i'm trying to embed an iframe video from facebook into a blog post and the one dhrup (RIP) posted a fix but it appears only admins can see it. this means that regular logged in users and non logged in users can't see that video.

has anyone figured this one out yet?

  • Well, what about adding some exceptions to the HTMLawed? Dhrup (RIP) edited the HTMLawed to allow a lot of exceptions, even iframes.

    Rodolfo Hernandez

    Arvixe/Elgg Community Liaison

  • @rjcalifornia which file?

    @RvR it didn't work, only admins can see it still :(

  • @ Cim , You are right. I had the same issue too... in addition, i had some errors... Fatal error: Cannot redeclare htmlawed_init() (previously declared in start line htmlawed/start.php:17 ... When I get time i will try to work on it...

    • Override the output/longtext view and remove the filter_tags() call. Caveat: this means your site's security against XSS will be completely dependent on the filtering during input. Filtering during output allows a new filtering library to catch things the old one did not.
    • If the admin is logged in, handle the (htmlawed, config) hook and make changes there to allow the tags you need.
    • Note that if a non-admin re-saves the content, the filtering will again remove the active content. Not sure what can be done about that.
    • removing filter_tags() didn't work
    • i don't see where i have to make the changes, can you tell me which line to edit on start.php?
    • iframe tags and such will only be posted by admin
  • found the fix, in htmlawed start.php at line 44, change it from

    $htmlawed_config = array(
    // seems to handle about everything we need.
    'safe' => true,
    'deny_attribute' => 'on*',
    'hook_tag' => 'htmlawed_tag_post_processor',
    'schemes' => '*:http,https,ftp,news,mailto,rtsp,teamspeak,gopher,mms,callto',
    // apparent this doesn't work.
    // 'style:color,cursor,text-align,font-size,font-weight,font-style,border,margin,padding,float'
    );

    to

    if(!elgg_is_admin_logged_in()) {

    $htmlawed_config = array(
    // seems to handle about everything we need.
    'safe' => true,
    'deny_attribute' => 'on*',
    'hook_tag' => 'htmlawed_tag_post_processor',
    'schemes' => '*:http,https,ftp,news,mailto,rtsp,teamspeak,gopher,mms,callto',
    // apparent this doesn't work.
    // 'style:color,cursor,text-align,font-size,font-weight,font-style,border,margin,padding,float'
    );

    }

  • this is really making me wanna pull my hair, the fix only works in localhost and not on a live server

  • A reminder of the old rule: do not edit the core nor the bundled plugins.

    Instead of editing the htmlawed plugin I recommend either using 'validate', 'input' hook to prevent running htmlawed completely or 'config', 'htmlawed' hook to modify the configuration of allowed tags. See the function htmlawed_filter_tags() (Elgg 1.8) for a simple example on what the configuration should look like.

  • It is possible to write exception for htmlawed to not filter the certain codes

    filter =! elgg_is_admin_logged_in ();

    content = get_input ('content', ", $filter);

    Where this code to insert have not written?

    Or to forbid html for the users and to disconnect htmlawed