What version of 68 Classifieds are you running? Newest version What template are you using? Custom Please describe in detail the issue you are having: As soon as I try to put in javascript into my page editor it is removed automatically and replaces it with this: [removed][removed] [removed][removed] I tried deleting it and re-creating it and no change. I am unable to add javascript to my page. Is my server doing this? Is this because of the new security features? Also it shows these tags as well: <html > <head> </head> <body>
Its probably not your server settings. seymourjames ran into a similar issue with posting a listing. Which has already been fixed. This seems to be a similar bug, just in a different area, so I would definitely submit this to the bugtracker.
When you say you are using the "Newest version", does that mean you are using v4.2.2? "Newest" for one person isn't necessarily the same for someone else. When you say, "into my page editor", do you mean the page editor in the administration? or do you mean a page editor on your computer? If it's the administration page editor, then it is the new filters being used as part of the security updates. That does bring up a good point, as the administrator is obviously not going to be entering malicious code into their own website and pages. Might be a good suggestion to make, that the administration goes through a different filtering method than the front end does to allow more html elements as well as javascript, etc..
1. Yes the v4.2.2. 2. Yes the page editor in the admin panel. Ya the admin should definitely not be filtered on his posts.
This was put in there by design and is not a bug, I completely understand the desire to allow the insertion of any code through the editor, but I don't agree that this should always be allowed. The page editor for sites that utilize the admin permissions to enable some users the ability to edit settings/pages, cannot chose to deny them the ability to add in unsafe HTML/javascript/PHP etc that could break the entire site or at worst unintentionally compromise the server. While the same user will also have the ability to edit templates its purpose is different and you can always not chmod the templates directory. If you are the only admin and you don't rely on the administration permissions or worry that an editor or somebody could mistakenly add unsafe code, you can change this by editing the source. Pages load through the same template, so the admin still has full control via the template editor and FTP which preserves security through admin permissions. You can conditionally add javascript to the pages' template, content.tpl, to execute javascript for specific pages and still have full control. But that requires the intentional chmod of the templates directory which is not required by default or FTP access. I think the best solution is to make a new admin permission, where if you choose to allow any input ,unsafe or otherwise, you can do so by enabling this feature on a per admin basis. Otherwise, and by default, only safe html would be allowed. In the meantime if you want to disable filtering of input for the page editor you may do so by editing that file directly: administration/pages.php line 94 & 138: find: PHP: Filter::mysql_quote(Filter::safe_html($_POST['pPageContent'])) replace with : PHP: Filter::mysql_quote($_POST['pPageContent'])
Wow, I just ran into this problem trying to add google ads to a page. When I saw the [removed] I thought that google was doing it because it didn't like my page.... paranoid? Anyway, before I found this post I just added code directly into database. Now I know.
Just got caught by this again and forgot about this post - I can understand that code and scripts should be filtered out from a post but I can't see why it would be done to extra pages added by the site admin. In 99% of cases they are the site owner and doing the design. I think it is more likely to be an issue this way round with filtering rather than the other way as many site owners want to put in adsense etc directly into their extra pages. At present on current versions you can't do this - i.e. put an adsense block into the text like this exchange rate. I would vote for some switch or something like a "superuser" in a future release.
Just saw a switch in the admin panel - good good - so it is possible to turn it off for an admin. I feel dumb now.
Is there a switch or code change to do this in v4.2.4? I searched through the administration/pages.php and can't seem to find the specific code mentioned. Thanks
Yes - it is in the admin panel as in the post above. A checkbox near the bottom right hand corner when you click on the admin user.
I think rather than posting questions you may do better by spending some time reviewing the 68C documentation on their web site - this will help you a lot to get a basic grounding with the script.
