TinyMCE Valid Elements Problem (object/param)

[Iain]

Apologies if this is in the wrong place.

I'm trying to embed a Scribd document into a TinyMCE editor, but the OBJECT and PARAM tags are being stripped out. Some of the Object bits remain, but most of it gets stripped out and the Param tags get removed totally.

I've copied the current valid_elements field below, why might this be happening?

@[id|class],iframe,object[id|name|height|width|type|data|style],param[name|value],embed,div,a[href|target|name|title|style],strong/b,em/i,br,img[align|src|id|class|style|width|height|alt],ul,ol,li,p[class],h2,h3,h4,blockquote,-p[style],-table[border=0|style|cellspacing|cellpadding|width|frame|rules|height|align|summary|bgcolor|background|bordercolor],-tr[rowspan|width|height|align|valign|bgcolor|background|bordercolor|style],tbody,thead,tfoot,#td[colspan|rowspan|width|height|align|valign|bgcolor|background|bordercolor|scope],#th[colspan|rowspan|width|height|align|valign|scope],pre,code

[apeisa]

Iain: I moved this to general support.

Can you post the exact code snippet you are trying to add? It would help others to test what is happening.

[Iain]

Thanks apeisa, sorry about putting it in the wrong spot!

The code is an embedded Scribd file, as below...

<a title="View Ofsted Results Newsletter - Feb 11 on Scribd" href="http://www.scribd.com/doc/65057534/Ofsted-Results-Newsletter-Feb-11?secret_password=260t1bcew0vncrtk5rmc" style="margin: 12px auto 6px auto; font-family: Helvetica,Arial,Sans-serif; font-style: normal; font-variant: normal; font-weight: normal; font-size: 14px; line-height: normal; font-size-adjust: none; font-stretch: normal; -x-system-font: none; display: block; text-decoration: underline;">Ofsted Results Newsletter - Feb 11</a> 

<object id="doc_44192" name="doc_44192" height="600" width="100%" type="application/x-shockwave-flash" data="http://d1.scribdassets.com/ScribdViewer.swf" style="outline:none;" >            

<param name="movie" value="http://d1.scribdassets.com/ScribdViewer.swf">             <param name="wmode" value="opaque">             <param name="bgcolor" value="#ffffff">             <param name="allowFullScreen" value="true">             <param name="allowScriptAccess" value="always">             <param name="FlashVars" value="document_id=65057534&access_key=key-wh4zdw27cc83o0c2n84&page=1&viewMode=list">             <embed id="doc_44192" name="doc_44192" src="http://d1.scribdassets.com/ScribdViewer.swf?document_id=65057534&access_key=key-wh4zdw27cc83o0c2n84&page=1&viewMode=list" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" height="600" width="100%" wmode="opaque" bgcolor="#ffffff"></embed>         </object>

[ryan]

If it's possible to create a separate textarea field (with no textformatters) for handling this need, I would suggest doing that. At least, that's what I usually do. Tags like <script> <object> <embed> are kind of like EXE files on a PC in that they are usually legitimate, but can occasionally be malicious. So it's one of those things that I don't like clients pasting into a TinyMCE field because they may not even be able to see that it's there (short of the HTML view, which few know how to use). Using a plain textarea for the specific purpose of handing these tags isn't any better from a security standpoint, but at least it's always done with intention and you always know it's there.

As an example, on processwire.com I have a plain textarea called video_embed where I paste in youtube/vimeo embed links. If the page sees the video_embed field is, then it outputs that above the bodycopy.

If using a separate field for your object/embed isn't an option, then it should still be possible to make it work with TinyMCE. It seems like your object and param tags are consistent with what's in your valid_elements, so it's not immediately clear to me why those are being stripped. Can you paste in the resulting HTML after it's been stripped? But your embed tag doesn't have any attributes assigned to it, so I can see why that one is getting stripped. If it helps, here is what's in TinyMCE's documentation for valid_elements of these tags:

object[classid|width|height|codebase|*],param[name|value|_value],embed[type|width|height|src|*]

If that doesn't work, it's also worth trying the object/embed/param from their full XHTML valid_elements set too:

http://www.tinymce.com/wiki.php/Configuration:valid_elements

[Iain]

Thanks Ryan, I'll try a couple of those suggestions.

The remaining HTML is as follows...

<p><a href="http://www.scribd.com/doc/65057534/Ofsted-Results-Newsletter-Feb-11?secret_password=260t1bcew0vncrtk5rmc" title="View Ofsted Results Newsletter - Feb 11 on Scribd" style="margin: 12px auto 6px auto; font-family: Helvetica,Arial,Sans-serif; font-style: normal; font-variant: normal; font-weight: normal; font-size: 14px; line-height: normal; font-size-adjust: none; font-stretch: normal; display: block; text-decoration: underline;">Ofsted Results Newsletter - Feb 11</a><iframe id="doc_8844" class="scribd_iframe_embed"></iframe></p><script>// <![CDATA[
(function() { var scribd = document.createElement("script"); scribd.type = "text/javascript"; scribd.async = true; scribd.src = "http://www.scribd.com/javascripts/embed_code/inject.js"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(scribd, s); })();
// ]]></script>

[ryan]

I'm a little confused by the remaining code. It looks like they are using an <iframe> embed (like newer style youtube embeds), so I don't understand why the <object> or <embed> tags are even necessary… they don't need them. Even more interesting is that it looks like they are doing yet another embed with the <script> tag. They have full markup control over your page at that point.

[Iain]

What's even more annoying is that the code I'm using is for the Flash version of the embedder. They also offer an HTML5 version which I was hoping to avoid for compatibility's sake, but that's an actual IFRAME and the SRC gets stripped from that so stops working as well.

This is the embed code from their site:

<a title="View Ofsted Results Newsletter - Feb 11 on Scribd" href="http://www.scribd.com/doc/65057534/Ofsted-Results-Newsletter-Feb-11?secret_password=260t1bcew0vncrtk5rmc" style="margin: 12px auto 6px auto; font-family: Helvetica,Arial,Sans-serif; font-style: normal; font-variant: normal; font-weight: normal; font-size: 14px; line-height: normal; font-size-adjust: none; font-stretch: normal; -x-system-font: none; display: block; text-decoration: underline;">Ofsted Results Newsletter - Feb 11</a><iframe class="scribd_iframe_embed" src="http://www.scribd.com/embeds/65057534/content?start_page=1&view_mode=list&access_key=key-wh4zdw27cc83o0c2n84&secret_password=260t1bcew0vncrtk5rmc" data-auto-height="true" data-aspect-ratio="0.706697459584296" scrolling="no" id="doc_44556" width="100%" height="600" frameborder="0"></iframe><script type="text/javascript">(function() { var scribd = document.createElement("script"); scribd.type = "text/javascript"; scribd.async = true; scribd.src = "http://www.scribd.com/javascripts/embed_code/inject.js"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(scribd, s); })();</script>

Which, when I save the page, ends up like this:

<p><a href="http://www.scribd.com/doc/65057534/Ofsted-Results-Newsletter-Feb-11?secret_password=260t1bcew0vncrtk5rmc" title="View Ofsted Results Newsletter - Feb 11 on Scribd" style="margin: 12px auto 6px auto; font-family: Helvetica,Arial,Sans-serif; font-style: normal; font-variant: normal; font-weight: normal; font-size: 14px; line-height: normal; font-size-adjust: none; font-stretch: normal; display: block; text-decoration: underline;">Ofsted Results Newsletter - Feb 11</a><iframe id="doc_44556" class="scribd_iframe_embed"></iframe></p><script>// <![CDATA[
(function() { var scribd = document.createElement("script"); scribd.type = "text/javascript"; scribd.async = true; scribd.src = "http://www.scribd.com/javascripts/embed_code/inject.js"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(scribd, s); })();
// ]]></script>

What you mentioned about people adding unsecure scritps into the editor doesn't phase me because I'm the one doing the updates. I've got 11 years web design experience so can (in theory!) know if I'm about to do something stupid in terms of site security. Of course now I've said that I'll probably post the password by mistake.

If it comes to a last resort, is there any way I can just disable the tag cleanup procedure?