Bug 5278

Summary: extend TinyMCE configuration to allow for iframes
Product: OCS Reporter: James MacGregor <jmacgreg>
Component: GeneralAssignee: PKP Support <pkp-support>
Status: NEW ---    
Severity: enhancement CC: alec, kritikes.spoudes, mattcrider, thetwentyone
Priority: P5    
Version: 2.3.6   
Hardware: PC   
OS: Mac OS X 10.3   
Version Reported In: 2.3.0 Also Affects:

Description James MacGregor 2010-03-30 21:01:27 PDT
TinyMCE doesn't currently allow iframes to be added into HTML. It should probably allow for iframes, esp. for OCS (but maybe also OJS), as Google Maps (amongst others) creates embeddable code using iframes. 

I've tried adding "iframe[*]" to plugins/generic/staticPages/StaticPagesEditForm.inc.php -> extended_valid_elements (line 116), but that doesn't seem to work for the Static Pages plugin. I also think it's worth doing app-wide, if possible; but the only place that I can find where this seems to be an option in the TinyMCE plugin is in lib/pkp/lib/tinymce/jscripts/tiny_mce_src.js, and I don't think that's it. I'm also not sure if it's safe allowing for all iframe attributes (ie., iframe[*]).
Comment 1 Matthew Crider 2010-03-31 12:39:13 PDT
See http://pkp.sfu.ca/support/forum/viewtopic.php?f=3&t=5920&p=22723#p22723 for a workaround, but I'll continue looking for a way to modify TinyMCE to allow this.

I'm not sure if enabling this site-wide would be a good idea--Users could end up embedding malicious scripts.
Comment 2 thetwentyone 2010-10-31 11:43:31 PDT
This also affects versions 2.3.3-2
Comment 3 thetwentyone 2010-10-31 12:25:06 PDT
Through some searching, it seems like it would be a simple fix to add

extended_valid_elements : "iframe[src|width|height|name|align]",

to the tinymce init 

http://tinymce.moxiecode.com/punbb/viewtopic.php?pid=58808
Comment 4 Alec Smecher 2010-11-01 12:09:16 PDT
It may not be TinyMCE stripping iframe tags, but OJS itself -- see the config.inc.php directive called "allowed_html".