Tweet

I really love Joomla! User Group New England. We meet the 3rd Wednesday of each month. And it's amazing what happens when you put so many intelligent people in one room -- the problems we solve!

Earlier that day, I was working on a site that had just been upgraded to Joomla 1.5.8. I noticed that a script tag I had included in a piece of content was getting stripped out when I saved the article.

Step 1: examine the wysiwyg pro settings. Wysiwyg Pro is our prefered editor for Joomla, as its usability is awesome for our clients. Of course, it hadn't been stripping out the script tag before, so why was it going now?

Step 2: In the user manager, totally disable any editor for my profile, then go into the article again, re-add the script tag, save... wow, script tag is still gone!  So it's something in Joomla stripping it out, not the editor.

Sure enough, Andrea Tarr of Tarr Consulting had the answer at the JUG meeting that night.  Joomla has enabled some HTML filtering that's described in the forums.

Basically, you can work with an HTML blacklist or an HTML whitelist. The blacklist states that everything is permitted EXCEPT given HTML tags. The whitelist means ONLY certain HTML tags are permitted.

From the tooltip in the Article Manager Parameters:

--The default blacklist includes the following tags: 'applet', 'body', 'bgsound', 'base', 'basefont', 'embed', 'frame', 'frameset', 'head', 'html', 'id', 'iframe', 'ilayer', 'layer', 'link', 'meta', 'name', 'object', 'script', 'style', 'title', 'xml'
-- The default blacklist includes the following attributes:
'action', 'background', 'codebase', 'dynsrc', 'lowsrc'
--You can blacklist additional tags and attributes by adding to the Filter Tags and Filter Attributes fields, separating each tag or attribute name with a space or comma.

Whitelist allows only the tags listed in the Filter Tags and Filter Attributes fields.

No HTML removes all HTML tags from the content when it is saved.

Please note that these settings work regardless of the editor that you are using.
Even if you are using a WYSIWYG editor, the filtering settings may strip additional tags and attributes prior to saving information in the database.

So -- if you say you want a whitelist, say that people are allowed to use paragraphs, bullet lists (UL and LI), and heading 2, if someone tries to use a heading 1, they will NOT be permitted to do so. 

The whitelist setting might be useful if you're getting article submissions from your Joomla site. However, for clients who are just editing their own articles and don't have a host of hundreds/thousands contributing to the site, the blacklist setting is probably preferred.

Again, to set this up, make sure you go into the Article Manager - Parameters, scroll to the bottom of the screen, and select blacklist/whitelist/no HTML. Then apply a user group to it.  For example, if you pick Manager, then Manager and all levels below it will be subject to the settings.

And THAT is why my script tags were getting stripped out, where they weren't before!