Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-25836

TinyMCE strips src attributes from <script> tags

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.0.1
    • Fix Version/s: 2.0.2
    • Component/s: HTML Editor (TinyMCE)
    • Labels:
      None
    • Affected Branches:
      MOODLE_20_STABLE
    • Fixed Branches:
      MOODLE_20_STABLE

      Description

      If you paste some HTML source into TinyMCE containing a script tag with src attribute, like:

      <script src="http://widgets.twimg.com/j/2/widget.js"></script>

      TinyMCE will strip the src attribute and leave <script></script> there.

      This happens for all users, including those with trusted content capability.

      I believe this is a bug because:
      a) Moodle 1.9 used to allow this, and it's necessary for embedding things such as twitter widgets, etc into HTML blocks.
      b) If I turn off javascript and circumvent TinyMCE, I can paste my script tags into the textfield and save it without problems. So it's not Moodle that strips it, it's TinyMCE.

        Gliffy Diagrams

          Attachments

            Activity

            Hide
            skodak Petr Skoda added a comment -

            Did you enable $CFG->xmlstrictheaders?
            I thought that the $params['valid_elements'] = '*[*]'; should allow all tags and properties.

            Show
            skodak Petr Skoda added a comment - Did you enable $CFG->xmlstrictheaders? I thought that the $params ['valid_elements'] = '* [*] '; should allow all tags and properties.
            Hide
            ashleyholman Ashley Holman added a comment -

            Hi Petr, I don't have $CFG->xmlstrictheaders enabled. I did some further testing and I can use script src tags in the user profile description but if I try to add a HTML block to My Moodle or a course, the src attributes are stripped. I tested this on http://moodle.org/my/ and the problem is there too.

            Show
            ashleyholman Ashley Holman added a comment - Hi Petr, I don't have $CFG->xmlstrictheaders enabled. I did some further testing and I can use script src tags in the user profile description but if I try to add a HTML block to My Moodle or a course, the src attributes are stripped. I tested this on http://moodle.org/my/ and the problem is there too.
            Hide
            dugh Doug Holton added a comment -

            I see it too, using latest moodle from cvs. I turned off javascript and was able to insert the script correctly as Ashley mentioned to circumvent tinymce.

            It also adds a language attribute while stripping the src attribute.

            Here's a FAQ about this for tinymce:
            http://tinymce.moxiecode.com/wiki.php/TinyMCE_FAQ#TinyMCE_strip_away_attributes_or_tags_from_my_source.3F

            Show
            dugh Doug Holton added a comment - I see it too, using latest moodle from cvs. I turned off javascript and was able to insert the script correctly as Ashley mentioned to circumvent tinymce. It also adds a language attribute while stripping the src attribute. Here's a FAQ about this for tinymce: http://tinymce.moxiecode.com/wiki.php/TinyMCE_FAQ#TinyMCE_strip_away_attributes_or_tags_from_my_source.3F
            Hide
            tsala Helen Foster added a comment -

            Thanks Ashley and Doug. The next 2.0.1+ will include a fix for this issue.

            Show
            tsala Helen Foster added a comment - Thanks Ashley and Doug. The next 2.0.1+ will include a fix for this issue.

              People

              • Votes:
                1 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  21/Feb/11