Custom Tag stop while running

Author Message

Damien MARTIN

Friday 03 December 2010 7:17:26 am

Hi There I created a custom tag to allow users to add extra HTML/Javascript code in XMLBlock.

So I did the following modifications :

content.ini.append.php

[CustomTagSettings]
AvailableCustomTags[]=code
IsInline[code]=false

[code]
CustomAttributes[]=code

ezoe_attributes.ini.append.php

[code]
CustomAttributes[]=code

[CustomAttribute_code_code]
Name=Code
Type=text
Required=true

code.tpl

{wrap_php_func('html_entity_decode', array( $code ))}

With this, <b>UN</b> <i>test</i> <u><i>normal</i></u> run correctly but

<script type="text/javascript"> alert ( "Hello World" ) ;</script>

Stops while running with the following error :

<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif; white-space: normal; font-size: 13px; " mce_fixed="1"><!-- START: including template: design/standard/templates/content/datatype/view/ezxmltags/code.tpl (design:content/datatype/view/ezxmltags/code.tpl) --> 
Mon code : <script typ  
<!-- STOP: including template: design/standard/templates/content/datatype/view/ezxmltags/code.tpl (design:content/datatype/view/ezxmltags/code.tpl) --></span>

I don't understand what happens.

Could someone explain me why it crash while running this very simple text ?

Thanks,

Damien

Ivo Lukac

Monday 06 December 2010 3:05:44 am

Hi,

With your code you are adding <script> tag in ezxml field which does not supported that tag.

I would suggest that you add additional eztext attribute in the class and deal with the javascript code in the template of the class.

http://www.linkedin.com/in/ivolukac
http://www.netgen.hr/eng/blog
http://twitter.com/ilukac

Jérôme Vieilledent

Monday 06 December 2010 3:19:18 am

Another solution could be to activate raw HTML support via the literal tag.

You can do this in an override of content.ini. Here's what original content.ini says :

[literal]
AvailableClasses[]
# The class 'html' is disabled by default because it gives editors the
# possibility to insert html and javascript code in XML blocks.
# Don't enable the 'html' class unless you really trust all users who has
# privileges to edit objects containing XML blocks.
#AvailableClasses[]=html

This can be a solution, but since there is currently no security policy check on attributes, there might be a XSS security issue here...

Damien MARTIN

Monday 06 December 2010 3:22:33 am

Thanks Ivo,

But my users need to add more than JS. The should be able to add things like imagemap ou swf objects directly in the xmlblock.

I know that I can do this using object and embeded templates but it is very embarassing to have to create items before to insert them. So I would like to try "custom tag" instead.

So I suppose I will have no choice and create a new class named "custom_code" or something like that a create a kind of "piece of code library".

Thank you very much again.

Ivo Lukac

Monday 06 December 2010 4:02:28 am

"

Another solution could be to activate raw HTML support via the literal tag.

You can do this in an override of content.ini. Here's what original content.ini says :

[literal]
AvailableClasses[]
# The class 'html' is disabled by default because it gives editors the
# possibility to insert html and javascript code in XML blocks.
# Don't enable the 'html' class unless you really trust all users who has
# privileges to edit objects containing XML blocks.
#AvailableClasses[]=html

This can be a solution, but since there is currently no security policy check on attributes, there might be a XSS security issue here...

"

If I were him I would rather not do that :)

http://www.linkedin.com/in/ivolukac
http://www.netgen.hr/eng/blog
http://twitter.com/ilukac

André R.

Monday 06 December 2010 4:23:22 am

literal.html is the only soulution that will accept raw html.
If you want to use custom tag, then you will need to create one pr use case, one for image maps (with attributes for input), one for script (with url as attribute) and so on.

You can setup custom tag to behave as inline-block in oe with the following settings in content.ini:

## Displays the custom tag as an image so you cannot create sub content.
## Will use custom image if there is a custom attribute on the tag named 'image_url'
#IsInline[externalimage]=image
## Lets you specify 22x22 icon to use on custom image tag if it doesn't have 'image_url'
#InlineImageIconPath[mashup]=images/tango/image-x-generic22.png

eZ Online Editor 5: http://projects.ez.no/ezoe || eZJSCore (Ajax): http://projects.ez.no/ezjscore || eZ Publish EE http://ez.no/eZPublish/eZ-Publish-Enterprise-Subscription
@: http://twitter.com/andrerom

Jérôme Vieilledent

Monday 06 December 2010 5:22:39 am

"

If I were him I would rather not do that

"

Why not ? If this fits to the need, then this is the solution ! ;)

The only thing is that the website administrator has to trust his contributors, that's all ! Besides, this is the case for every CMS that propose such a feature...

Damien MARTIN

Monday 06 December 2010 6:25:28 am

Thank you very much everybody.

I called my customer and we decided together to create objects before adding them in XML Block.

I hope that this thread will be usefull for other persons.

Thanks,

Damien

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.