Bug 5278 - extend TinyMCE configuration to allow for iframes
extend TinyMCE configuration to allow for iframes
Status: NEW
Product: OCS
Classification: Unclassified
Component: General
2.3.6
PC Mac OS X 10.3
: P5 enhancement
Assigned To: PKP Support
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-03-30 21:01 PDT by James MacGregor
Modified: 2012-09-24 09:41 PDT (History)
4 users (show)

See Also:
Version Reported In: 2.3.0
Also Affects:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description James MacGregor 2010-03-30 21:01:27 PDT
TinyMCE doesn't currently allow iframes to be added into HTML. It should probably allow for iframes, esp. for OCS (but maybe also OJS), as Google Maps (amongst others) creates embeddable code using iframes. 

I've tried adding "iframe[*]" to plugins/generic/staticPages/StaticPagesEditForm.inc.php -> extended_valid_elements (line 116), but that doesn't seem to work for the Static Pages plugin. I also think it's worth doing app-wide, if possible; but the only place that I can find where this seems to be an option in the TinyMCE plugin is in lib/pkp/lib/tinymce/jscripts/tiny_mce_src.js, and I don't think that's it. I'm also not sure if it's safe allowing for all iframe attributes (ie., iframe[*]).
Comment 1 Matthew Crider 2010-03-31 12:39:13 PDT
See http://pkp.sfu.ca/support/forum/viewtopic.php?f=3&t=5920&p=22723#p22723 for a workaround, but I'll continue looking for a way to modify TinyMCE to allow this.

I'm not sure if enabling this site-wide would be a good idea--Users could end up embedding malicious scripts.
Comment 2 thetwentyone 2010-10-31 11:43:31 PDT
This also affects versions 2.3.3-2
Comment 3 thetwentyone 2010-10-31 12:25:06 PDT
Through some searching, it seems like it would be a simple fix to add

extended_valid_elements : "iframe[src|width|height|name|align]",

to the tinymce init 

http://tinymce.moxiecode.com/punbb/viewtopic.php?pid=58808
Comment 4 Alec Smecher 2010-11-01 12:09:16 PDT
It may not be TinyMCE stripping iframe tags, but OJS itself -- see the config.inc.php directive called "allowed_html".