beat wrote:

spikec wrote:

Beat, can you give me a list of the tags that are now filtered by the new release? I had set up a creative tab where the kids ccould paste background and "myspace" layout codes to pretty up their profiles. None of this seems to be working now, esp when using the <style type="text/css"> tag.

thanks

Here the complete list of potentially hostile tags that get filtered in CB's editorArea field type:

'applet', 'body', 'bgsound', 'base', 'basefont', 'embed', 'frame', 'frameset', 'head', 'html', 'id', 'iframe', 'ilayer', 'layer', 'link', 'meta', 'name', 'object', 'script', 'style', 'title', 'xml'.

These tags can be removed from the list in the config file as decribed before.

Here also the attributes (behind any tages) that get filtered as well:

'action', 'background', 'codebase', 'dynsrc', 'lowsrc', and also will strip ALL event handlers ('on....')

There is no config-file method to remove these attributes.

Ok....After checking the source code of the page
i notice that although i added the "allowed tages" code line
it still strips the object and embed tags

So far i've been able to remove the tags "embed" and "object"
DIRECTLY from "inputfilter" page

BUT it is still stripping all the embed parameters

ORIGINAL:

---

<embed src="http://DOMAINNAME/FOLDERNAME/flash.swf"
flashVars="fp_root_url=http://DOMAINNAME/FOLDERNAME/&ovr_color=0x000000&ovr_langage=en&ovr_playlist=styles&ovr_author=all&ovr_order=date_music&ovr_order_direction=DESC&ovr_autoplay=1&ovr_loop_playlist=1&ovr_loop_tracks=0&ovr_shuffle=1"
menu=false
quality=best
wmode=transparent
bgcolor=#383838
width="300"
height="315"
type="application/x-shockwave-flash"
pluginspage="www.macromedia.com/go/getflashplayer">
</embed>

---

RENDERED

---

<embed src="http://DOMAINNAME/FOLDERNAME/flash.swf">

</embed>

around line 26 in /includes/inputfilter.php i replaced
[code:1]var $tagBlacklist = array ('applet', 'body', 'bgsound', 'base', 'basefont', 'embed', 'frame', 'frameset', 'head', 'html', 'id', 'iframe', 'ilayer', 'layer', 'link', 'meta', 'name', 'object', 'script', 'style', 'title', 'xml');
var $attrBlacklist = array ('action', 'background', 'codebase', 'dynsrc', 'lowsrc'); // also will strip ALL event handlers[/code:1]

with:
[code:1]var $tagBlacklist = array ('body', 'base', 'basefont', 'frame', 'frameset', 'head', 'html', 'id', 'iframe', 'ilayer', 'layer', 'link', 'meta', 'name', 'script', 'style', 'title', 'xml');
var $attrBlacklist = array ('action', 'codebase', 'dynsrc', 'lowsrc'); // also will strip ALL event handlers[/code:1]

This seems to work for my site.. i dont recommend you do this.. you take full responsibility for lowering your security like this

i've just re-tested with many flash parameters and it seems to work with the above lines.

I forgot to re-enable the orignal lines when i tested the eu_config method so this bug slipped through

But at least it should work with this workaround.

~Trail

Nop... I still get Nothin'

It still strips the code "/$%?&

It's strips the code on submit...
even if i use no editor

This is getting stranger by the minute

I've just removed all the filter tags and i still get nothing