john.boloian@nuance.com

HTML being stripped from Formatted Text widget

Discussion created by john.boloian@nuance.com on Dec 2, 2011

Case #158306

Details


Status: Closed
Case Type: /
Severity: Level 2
Product: /
Component: Core: Widgets
Environment: /
Internal Discussion Link: /

Description


We are having a problem with adding custom HTML to Formatted Text widgets on spaces and groups overview pages (as well as documents). When we try to add (for example, some simple javascript, like window.open) and then publish, the code is removed. Only after it is published. We also notice that the code works in edit mode. So, for example, we add window.open to open a new window (or ctrl+k and add the popup functionality this way) and when clicking in the edit mode, the code works fine. Once published, it does not work.

 

I am thinking it has something to do with pre- or post- filters on the site? I do not have system admin access for the site, only for a few spaces, but am told we should be able to do this per Cory Matthews who was onsite for functional configurations / consulting sessions with the space owners / champions today.

 

Thanks a bunch!!!

 

John Boloian


Comments


John,

 

I believe that this is the result of the way in which your filters and macros are configured.

You will have to talk with someone on your end who does have access to those settings to have them changed. If you would like, I would be happy to remove the settings in UAT and try the scripts there to confirm that the filters are responsible for them being stripped.

Please let me know how you would like to proceed.

 

Tatsuro



Hi, I'm checking if this has been implemented in UAT or Production yet? I haven't heard anything since Tatsuro's last reply. Thanks.



John,

 

I apologize for the confusion.

If you send me the code you are trying to add to the widget, I can test it on a local instance to determine why it is being stripped out.

 

Tatsuro



I posted it below – Simple javascript to window.open using an onclick.

 

In addition, would like to be able to add some embed HTML from other websites, which so far have been stripped out. I have posted a sample of this below as well.

 

Also, would like to add an tag, which also gets stripped out. A sample below.

 

Javascript code:

 

!http://nuance.hosted.jivesoftware.com/servlet/JiveServlet/previewBody/1231-102-1-1274/Nuance101_Image_large.png|style=display: block; margin-left: auto; margin-right: auto;|alt=Nuance101_Image_large.png|class=jive-image|src=http://nuance.hosted.jivesoftware.com/servlet/JiveServlet/previewBody/1231-102-1-1274/Nuance101_Image_large.png!

 

 

Embed code:

 

.prezi-player .prezi-player-links { text-align: center; }

Future-Proof Your Education on Prezi



Iframe code:

 

Cheers,

 

John



Oops, I see from above that it didn't make it through email (but the Prezi embed works here!)

 

Here is the code:

 

Javascript code:

 

<a href="#" onclick="window.open('http://corporatecontent.nuance.com/iweb/HR/LearningAndDevelopment/N101/ex/index.html','mywindow','menubar=1,resizable=1,width=900,height=600'); return false;" ><img alt="Nuance101_Image_large.png" class="jive-image" src="http://nuance.hosted.jivesoftware.com/servlet/JiveServlet/previewBody/1231-102-1-1274/Nuance101_Image_large.png" style="display: block; margin-left: auto; margin-right: auto;" /></a>

 

 

Embed code:

 

<div class="prezi-player"><style type="text/css" media="screen">.prezi-player { width: 550px; } .prezi-player-links { text-align: center; }</style><object id="prezi_gsoot_1arnmk" name="prezi_gsoot_1arnmk" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="550" height="400"><param name="movie" value="http://prezi.com/bin/preziloader.swf"/><param name="allowfullscreen" value="true"/><param name="allowscriptaccess" value="always"/><param name="bgcolor" value="#ffffff"/><param name="flashvars" value="prezi_id=gsoot_1arnmk&amp;lock_to_path=0&amp;color=ffffff&amp;autoplay=no&amp;autohide_ctrls=0"/><embed id="preziEmbed_gsoot_1arnmk" name="preziEmbed_gsoot_1arnmk" src="http://prezi.com/bin/preziloader.swf" type="application/x-shockwave-flash" allowfullscreen="true" allowscriptaccess="always" width="550" height="400" bgcolor="#ffffff" flashvars="prezi_id=gsoot_1arnmk&amp;lock_to_path=0&amp;color=ffffff&amp;autoplay=no&amp;autohide_ctrls=0"></embed></object><div class="prezi-player-links"><p><a title="Future-Proof Your Education" href="http://prezi.com/gsoot_1arnmk/future-proof-your-education/">Future-Proof Your Education</a> on <a href="http://prezi.com">Prezi</a></p></div></div>

 


 

Iframe code:

 

<iframe src=http://www.google.com width=xxx height=xxx></iframe>



John,

 

I created a test space on your UAT and posted the above code as well as a sample youtube video embedded with an iframe without issue.

The test space is called 'test for widget'. Are you able to do the same in UAT?

I would be happy to do this on production as well if you would like me to create a space and test there as well.

 

Tatsuro



Hi Tatsuro,

 

It seems to be working there – Though I can’t get into edit the overview on that page.

 

However, whatever I try in Production, I can’t see, to get it to work. Can you check on the filters or anything else that may be causing this in Prod?

 

Regards,

 

John



Tatsuro,

 

An update on this – It seems as though the window.open code isn’t working (the top one, in the formatted text widget on the test space on UAT that you set up:

 

https://nuance-uat.uat3.hosted.jivesoftware.com/community/test-for-widget

 

John



John,

 

I am going to escalate this case internally to expedite a resolution.

 

Tatsuro



Could this be the reason?

Embedded Javascript and HTML widgets



Hi April,

 

Yes this sounds like the issue. As I am a Space administrator, I would like to have the ability to add this to my Spaces and Groups. Can we get this turned on please.

 

Regards,

 

John Boloian



Hi John,

 

I will be taking the case from here. I'd like to clarify; you are wanting to disable the cleanse JavaScript property which will disable all script filtering? This can pose a security risk with untrustworthy issues as it won't filter XSS vulnerable scripts/iframes.

If you're still wanting to have this property disabled it will require a restart. When would be a good time to schedule a restart?

 

Regards,

Josh



Hi Josh,

 

Is it possible to disable this for only some spaces, not all? I believe this is possible, but just want to verify this.

 

Regards,

 

John



Hi John,

 

You may be able to apply this as a Space property to only have it applied to particular spaces. I would suggest testing this on your UAT environment. Please let me know how you'd like to proceed.

 

Regards,

Josh



Yes, could you please apply this to the following Spaces: Human Resources and Nuance University.

 

Would it be possible to apply to Groups as well?

 

Regards,

 

John Boloian



Hi John,

 

Looking further into this I noticed that the HTML Filters were still set to filter out Script, Style, and IFrame tags. This is most likely the cause; to test this I have made the changes necessary to the filter. Also, the System Property we were going to set would only affect the HTML Widget and not the Formatted Text Widget, so hopefully this was only an issue with the HTML Filter.

 

The changes have been made to the filter, can you please test again on your UAT environment to see if the embed codes are being stripped on publish?

 

Regards,

Josh



Josh, they are still being stripped once I publish - See the following test document example: https://nuance-uat.uat3.hosted.jivesoftware.com/docs/DOC-1171/edit?containerType=2020&container=1029

 

I tried to use the code I supplied above, but to no avail - can you check on this please. Thanks.



Hi John,

 

These settings apply to the HTML and Formatted Text widget. If you test it out here you will see that the tags are no longer stripped and function properly: https://nuance-uat.uat3.hosted.jivesoftware.com/community/test-for-widget

Please test in that Space and let me know if you have further questions.

 

Regards,

Josh



Hi Josh,

 

For the 1st one (under the Formatted Text widget) – it seems the code is being stripped (there should be a window.open code applied to the onclick event for the href) – The other 2 (the HTML widgets) work fine.

 

Screenshot of the problem widget I’m referring to (says “click to watch the nuance 101 video” in upper-left):

 

cid:image001.png@01CCBA47.2853B2C0

 

I would check further but I can’t edit that page – Any ideas?



Hi John,

 

Workaround:

The Formatted Text widget has a more strict filter applied to it than the HTML widget, this most likely explains why the tags still aren't processing correctly. If you use the HTML widget you can accomplish what you're requesting; I've provided a test of it in that same test Space.

 

When using HTML and/or scripts it is recommended to use the HTML widget as that is what it is intended for. The Formatted Text widget is for when you don't have HTML available and need to quickly create tables/insert images/etc.

 

Other:

You mentioned you're not able to edit the page; I've changed the permissions on the page and you should be able to customize it now.

 

Regards,

Josh


Attachments

Outcomes