Thread

This is really driving me nuts.
Changing weblog preferences to ‘Allow only safe html’ removes all ‘p’s. They are in the entry visible. I even checked the database (exp_weblog_data) and there they are too. But on the output some field display ok others not.
Testing this issue I’m using two custom fields. I make them both similar. Both fields get the same data. The very strange thing is that in one field output there no p’s. The other displays correct. That is when there’s a next line or paragraaf it’s displying correctly. Using a third field I also can’t get this one either displaying p or br’s.
Somehow there’s a parameter I’m missing. Double checked all three fields and they are identical. Also updating the entry doesn’t solve.
Adding p and br to the ‘core.typography.php’ also gives no difference.
I simplified the template down to only displaying the appropriate field. Exactly the same problem.
Disabling the WYSIWYG editor also makes no difference.
Where o where are these p’s and br’s stripped? And why only certain fields?

I need ‘Allow only safe html’ as members on this semi public weblog can submit there own entries.

Using EE 1.6.6

Actually, the the list Greg gave you is conclusive,  is not contained in this list. You’d either have to “Allow all HTML”, or use XHTML formatting which will add this tag as requried.

Hi Greg,

Thanks for replying. I use a WYSIWYG editor: TinyMce with the LG extension. But this is back-end. Entering a new entry and then previewing it, all looks fine, in the CP. Only the output fails with the paragraphs.
When applying the WYSIWYG to the field type the format type of the field isn’t available.
I change one of the fields to textarea and XHTML. Then certainly very strange thing are going on: two of the three testing fields give the right output. So even a field I did not touch gives different (good) output.
I don’t dare changing all to XHTML because I need the WYSIWYG for my users. They go wild when I suggest the basic EE editor as they never work with html code.
The issue is not the back-end. The real issue is that EE parses the code out when the webleg/section is set to ‘only safe html’. Although not listed in the docs, surely the is safe, isn’t it?

Actually, the the list Greg gave you is conclusive,  is not contained in this list. You’d either have to “Allow all HTML”, or use XHTML formatting which will add this tag as requried.

Allow all HTML is not an option because I can get dirty code (through the entry form for semi public use) which is a high security risk. Your suggestion using XHTML is not possible together with the use of the LG WYSIWYG editor.
What now?

How is it possible that having this in my entry database:
paragraph 1
paragraph 2
paragraph 3

I get this as output in my browser when ‘Allow only safe html’ is on:
‘paragraph 1 paragraph 2 paragraph 3’.
That’s surely not usable.

How do others solve this problem of strangers giving input to the weblog through a SAEF form?

There is an option for {formatting_buttons} in the SAEF.  Then you can use auto xHTML and paragraphs will be properly formatted.

Hi Greg,

Maybe I’m not clear enough but I mentioned twice before that the fields concerning this issue have a WYSIWYG editor as field type and auto xHTML IS NOT AVAILABLE.

Seems very very strange to me to strip and
as invalid html. Maybe I may determine myself what I consider as ‘safe’ and therefore give me the possibility to add html to an allowed list.

I took a look for the {formatting_buttons} but that really not challenging modern times, is it?

How about setting the ‘Default Text Formatting’ to ‘none’? One should assume that with this option there is absolute nothing changed to the textarea input. Trying this option strangely also removes . How weird!
Maybe the Expression Engineers went a bit to far?...

The weblog I’m working on needs both possibilities : WYSIWYG in the CP entries for admins and SAEF form for external user input with safe html.

Seems very very strange to me to strip and
as invalid html.

They are by no means invalid, or even particularly dangerous, but EE considers them invalid in this context.

Maybe I may determine myself what I consider as ‘safe’ and therefore give me the possibility to add html to an allowed list.

You can probably do that, but it involves a hack to EE core files which you will have to maintain across future updates. Please see this article for more info.

How about setting the ‘Default Text Formatting’ to ‘none’? One should assume that with this option there is absolute nothing changed to the textarea input. Trying this option strangely also removes . How weird!

You are talking about different things here. “Formatting: None” means that EE will not add
or tags at runtime. This has got nothing to do with what kind of HTML tags you will allow. In fact, using “Allow all HTML” would probably achieve what you are looking for, but apparently is not an option for you.

‘Allow only Safe html’ is indeed what I need.
But at this moment it is only usable with auto xHTML and that’s what I can’t choose when the fieldtype is WYSIWYG. Also when both WYSIWYG and xHTML are active shall probably produce weird output (as I read at this forum).
So what I would really like is an option where EE leaves my entries at ease. NO stripping at all. Maybe a plugin? Suggestions?

Adding the tag to ‘core.typography.php’ did not resolve. They where still stripped.

Maybe ‘Allow only Safe html’ also works when displaying an entry? Then in my opinion it has no use. The harm of dirty html is then already done.

The attached jpg shows that I have no options in choosing ‘Default Text Formatting for This Field’.

So what I would really like is an option where EE leaves my entries at ease. NO stripping at all.

I am sorry, we seem to be going in circles here: that option exists, it is named “Allow all HTML”. You do not want EE to allow all HTML—we’ve established that—you only want to add to the list of allowed tags. I am afraid you’ll have to modify EE as shown above.

The file is core.typography.php; you’ll need to add ‘p’ to the functions $safe_encode and $safe_decode in lines 83 and 85, respectively.

Hi Ingmar,

Indeed I will end this thread now.

As stated before I already modified ‘core.typography.php’ as you suggested but that made no difference. As I encountered before ExpressionEngine is a great tool but sometimes has it own ‘manual’. This time I can’t get around this issue so I choose another workaround.

I created a second similar weblog where the entries of the public are submitted. This weblog has ‘Allow only Safe html’. It shares the same fieldgroups etc. as my main weblog which has ‘Show all HTML’. I made two additional fields textarea with format xhtml. Adapted all my template/forms to show these extra fields. When an public entry is made I moderate it first and after approval move it from the ‘Allow only Safe HTML’’ to the ‘Show all HTML’. Since they share fields, status etc the entry can easily move between the two weblogs.

Still strange that modifying ‘core.typography.php’ doesn’t work.

For now thanks for your patience and support. I know ExpressionEngine again a bit further more.

Hi, ron00ner - that modification should work; did you want to troubleshoot it, or are have you implemented a solution that works for you?

Let us know, thank you.

Hi Lisa,
Thanks for attending this thread. I would like to troubleshoot why the modification of ‘core.typography.php’ does not work. Now my workaround is that I have to add two extra fields with fieldtype textarea and format xHTML. It should not be necessary.

Here’s the code I modified:

var $safe_encode = array('b', 'i', 'em', 'del', 'ins', 'strong', 'pre', 'code', 'blockquote', 'abbr', 'p' );
    
var $safe_decode = array(
        'b'         => 'b', 
        'i'         => 'i',
        'em'        => 'em',
        'del'       => 'del',
    'ins'       => 'ins',
        'strong'    => 'strong', 
        'pre'       => 'pre', 
        'code'      => 'code', 
        'blockquote'=> 'blockquote',
        'quote'     => 'blockquote',
        'QUOTE'     => 'blockquote',
        'abbr'      => 'abbr',
        'p'         => 'p'
);

I have set the field type to WYSIWYG. As you can see in the third attached image it’s not possible to chose a formatting. In the database I can see it’s set to ‘none’
The second image show the content in my database. The are clearly there.
The first image shows the output in FF3.

As you can see in the output the are stripped. Probably because ft is set to ‘none’. This means I can not use a WYSIWYG editor (in the CP) together with ‘Allow only safe HTML’?
Not even when modifying the typography.php.

The WYSIWYG is third party - if you choose a field formatting type of xHTML - does it work then?

You first say you set the FTP to WYSIWYG and then you said you set it to none, so I’m a bit confused there.  Let’s test it with xHTML or none and start from there - not our end point, just the start point.

The WYSIWYG is third party

OK that’s not a point yet.

if you choose a field formatting type of xHTML - does it work then?

Set field formatting type to auto xHTML works OK. That’s not surprising.

You first say you set the FTP to WYSIWYG and then you said you set it to none, so I’m a bit confused there.

Indeed I said that I set the ‘Field Type’ to WYSIWYG. Then automatically the ‘Default Text Formatting for This Field’ is diabled (as you can see in the earlier images). When I check the database I can see that the ‘Default Text Formatting for This Field’ is set to ‘none’. There’s nothing I can do about this.
At first I thought that ‘None’ was meaning no formatting at all, but it appears to be: ‘apply no formatting at all except safe HTML’ just like css border:none.
This makes sense.

Concentrating on why the modification of ‘core.typography.php’ does not work:
Changing the test field ‘Field Type’ to ‘Textarea’ and then ‘Default Text Formatting for This Field’ to ‘None’. In the textarea I have three paragraphs. Even hardcoded . In the output the ‘None’ removes all HTML accept the safe. E.g. ‘strong’ is keept. However is stripped although I modified the ‘core.typography.php’.