CRITICAL SECURITY VERSION UPDATE:
https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.13

CKE, oembed and iframes

GumsterGumster
edited June 2014 in Share
I've hit a problem with iframes and CKE that I've not encountered before.

CKE is configured with the Oembed plugin, which usually does a good job of embedding iframes. This works fine in CMS pages, and the Fuel Blog module, and works on insert into the WYSIWYG in an advanced module, but when saved it converts the iframe to entities.

What might the advanced module be doing that the Pages / Blog one isn't?

Comments

  • adminadmin
    edited 2:01AM
    This sounds like the result of the xss_clean which is run by default on save. Try adding this to your simple module's configuration:
    'sanitize_input' => array('template','php'),
  • GumsterGumster
    edited 2:01AM
    Aha, I put the above in application/config/MY_fuel_modules and it had no effect, but putting it in the advanced module' config worked! I've only just noticed that "module"_fuel_modules gets created by the module generation CLI.
  • GumsterGumster
    edited 2:01AM
    Now I have a similar issue with oembed and regular Fuel CMS pages - if I add an iframe with CKE it shows in the WYSIWYG OK initially, but on save the iframe html is entitised (Fuel v1.3)

    I'm sure there is a config to fix this, but I admit to forgetting it! At first I thought it might be to do with globa_xss_filtering, but changing that to false doesn't help.
  • almostcompletelyalmostcompletely
    edited 2:01AM
    Anything to do with this https://www.drupal.org/node/803562
    ...a gotcha I came across some time ago...
  • adminadmin
    edited 2:01AM
    That's a good point... is it an issue only when using CKEditor?
  • GumsterGumster
    edited December 2015
    I'll try markitup, but then I won't have Oembed...

    Actually I had a video embedded in the database via CKE / Oembed previously, and it is only recently on re-saving that the issue has come to light. It's been a few weeks since I put the content in and a lot has happened development wise since. Of course, it may be the re-saving which is the issue...

    I will test
  • GumsterGumster
    edited 2:01AM
    OK - some gap here, but I found a related solution:

    $config['modules']['pages'] = array( 'sanitize_input param' => array('template','php'), 'hidden' => TRUE // we don't want this showing under modules );

    This appears to work, but feels like a hack! is there a more appropriate way of doing this?
Sign In or Register to comment.