Ticket #10681 (closed Bug: fixed)

Opened 4 years ago

Last modified 2 years ago

No way to disable filtering of "embed" tag

Reported by: khink Owned by: rochecompaan
Priority: major Milestone: 4.x
Component: Visual Editor Version:
Keywords: TuneUp investigate Cc: nueces, davilima6

Description

Found in version 1.1rc12 (with Plone 4.0b4).

When trying to save HTML which contains en "embed" tag inside an "object" tag (see HTML in the attachment, embed.html.gz), there is no way (that i can see) to prevent filtering of the "embed" tag. The tag is filtered out when switching back from HTML view to WYSYWIG view.

See discussion on the plone-users mailing list:  http://comments.gmane.org/[…]/108322

Steps to reproduce:

0) Install a fresh Plone 4.0b4 instance from buildout.

1) @@filter-controlpanel:

1a) Remove "embed" and "object" from "Dangerous tags" list.

1b) Remove "embed" and "object" from list of tags whose contents are stripped.

After this, and after reloading the edit form of the page where i want include the attached file in the HTML, i switch to HTML mode and include the attached HTML. When switching back from HTML view to WYSYWIG view, the "object" tag is saved, including the "param" tags, but the "embed" tag is still filtered.

1c) Tried adding "param" and "object" to the list of custom tags, but that doesn't work, probably because thay are defined in XHTML, and the "custom" list is intended for tags that are not. Note: "embed" is in the list of custom tags.

I seem to have run out of options on the @@filter-controlpanel.

2) ZMI > portal_transforms:

2a) safe_html: Added "embed" to valid_tags (value 1 to indicate it should have a separate closing tag). "Object" is already there. Reloaded edit page, no effect. Clicked "reload transforms" tab in ZMI and reloaded edit page, no effect.

2b) safe_html: Set "disabled_transform" to 1, clicked "reload transforms", reloaded edit page. No change. Is this transform used at all?

Also reported as  http://plone.org/products/tinymce/issues/164

Attachments

embed.html.gz Download (282 bytes) - added by khink 4 years ago.
Example HTML code containing an "embed" tag.

Change History

Changed 4 years ago by khink

Example HTML code containing an "embed" tag.

comment:1 Changed 4 years ago by khink

  • Status changed from new to closed
  • Resolution set to invalid

Follow-up: I just now discovered the "Insert embedded media" enabling button on @@tinymce-controlpanel. When using this button, saving the page and viewing it, i saw no video initially.

After modifying the safe_html transform, i did see the video, and what's more, it works under IE as well, which is what this issue is really about.

It's still impossible to modify insert HTML which contains the "embed" element inside the "object", but that in itself is not a bug.

Bug is closed.

comment:2 Changed 3 years ago by jonstahl

  • Priority changed from minor to major
  • Status changed from closed to reopened
  • Resolution invalid deleted

I think this is actually still a live bug, with Plone 4.0-final, probably upstream in TinyMCE, but possibly having something to do with how we are initializing it.

Here's what I'm experiencing:

  • TinyMCE appears to be stripping out <embed> tags no matter whether they're brought in by pasting into raw HTML or by using the Insert Media drawer.
  • Setting HTML filtering and/or the Safe_HTML transform to allow <embed> tags, as described above, has no effect. I don't think they're involved at all, because this is happening before the page is saved.

Bottom line: it is not possible to effectively embed YouTube videos or other embeds that use the <embed> tag if you are using TinyMCE as your editor. This is a fairly severe regression for anybody using embeds on their site.

Googling for "TinyMCE embed" produces lots of discussion and hits, which may be worth exploring.

comment:3 Changed 3 years ago by elvix

Initial poking at this leads me to suspect that the HTMl filter settings are not respected at all. Can this be the case?

I have the same problem with adding <u> to the allowed tags list.

comment:4 Changed 3 years ago by calvinhp

  • Keywords TuneUp investigate added
  • Milestone changed from 4.0 to 4.x

comment:5 Changed 3 years ago by nueces

  • Cc nueces added

comment:6 Changed 3 years ago by davilima6

  • Cc davilima6 added

I confirm the bug with Plone 4.1rc3.

comment:7 follow-ups: ↓ 8 ↓ 9 Changed 2 years ago by rochecompaan

  • Status changed from reopened to new
  • Owner set to rochecompaan

This does not seem to be an upstream bug, nor a problem with the TinyMCE editor. I found the following issues:

  1. TinyMCE must be initialised with "media_strict: false" to prevent stripping of the "embed" tag.
  1. The TinyMCE utility (that provides the configuration data as a JSON structure to TinyMCE) does not list "embed" as an XHTML tag.
  1. Removing tags from the @@filter-controlpanel does not update the safe_html transform properly. The behaviour I see is that the tags are removed from the list of nasty tags after I click on "Remove selected items" but they are back in the list once a reload the page.

comment:8 in reply to: ↑ 7 Changed 2 years ago by rochecompaan

Replying to rochecompaan:

This does not seem to be an upstream bug, nor a problem with the TinyMCE editor. I found the following issues:

  1. TinyMCE must be initialised with "media_strict: false" to prevent stripping of the "embed" tag.

Fixed in  https://github.com/plone/Products.TinyMCE/commit/2daf5963d9d8dab25afc3b09661111f899494d07

  1. The TinyMCE utility (that provides the configuration data as a JSON structure to TinyMCE) does not list "embed" as an XHTML tag.

This was not actually an issue on trunk anymore.

comment:9 in reply to: ↑ 7 Changed 2 years ago by rochecompaan

  • Status changed from new to closed
  • Resolution set to fixed

Replying to rochecompaan:

  1. Removing tags from the @@filter-controlpanel does not update the safe_html transform properly. The behaviour I see is that the tags are removed from the list of nasty tags after I click on "Remove selected items" but they are back in the list once a reload the page.

In the #plone-tuneup channel datakurre told me I must click on "Save" at the bottom of the page to actually apply the changes, to which I responded "What a usability disaster". Anyway this ticket is fixed and I'm closing it.

Realise that removing "embed" and "object" from nasty tags is not enough, you have to add it to the list of "custom" tags to have it registered with the safe_html transform. I'd say this is in a working but convoluted state - we can certainly improve the user interaction here.

Note: See TracTickets for help on using tickets.