ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

Safe Cracker and html inputs

April 16, 2012 1:26pm

Subscribe [1]
  • #1 / Apr 16, 2012 1:26pm

    Charcoal Marketing's avatar

    Charcoal Marketing

    112 posts

    I am using safecracker on a intranet inwhich only logged in members have access to. One of the fields is called media, which is supposed to capture youtube embedcode but is making the html characters into websafe version thus making the code show and not thge video on the front end. Can you help? I have am using a custom field, textarea and tried with XHTML and NONE selected for type.

    Thanks

  • #2 / Apr 17, 2012 11:40am

    Dan Decker

    7338 posts

    Hi Kyle,

    Indeed! You will want to set the formatting to “None”, but you also need to makes sure the channel is set to allow for HTML to be posted. To do this, go to Admin->Channel Administration->Channels: Edit Preferences and check the setting for “Default HTML formatting in channel entries”. Make sure that is set to “Allow all HTML”.

    I look forward to your reply!

    Cheers,

  • #3 / Apr 18, 2012 10:30am

    Charcoal Marketing's avatar

    Charcoal Marketing

    112 posts

    Hello Dan,

    I have the field type set to textarea and “Default Text Formatting for This Field” set to “None” and in the channel preferences I have “Allow All HTML” set for “Default HTML formatting in channel entries” but when I post through Safe Cracker it is still replaces all the HTML characters with web safe versions. Is there anything I am missing?

    Thank you for your time
    Ricky

  • #4 / Apr 19, 2012 3:43pm

    Charcoal Marketing's avatar

    Charcoal Marketing

    112 posts

    Any news on this? The file field on safe cracker keeps converting over HTML to entities.

  • #5 / Apr 20, 2012 11:38am

    Dan Decker

    7338 posts

    Hi Kyle,

    I’m not sure why SafeCracker is converting the code to entities.

    There may be a way to get around this by just submitting the URL and the use Antenna for the presentation.

    I’ll check with the developers why this isn’t being honored properly when SC submits the form.

    Cheers,

  • #6 / Apr 20, 2012 12:58pm

    Charcoal Marketing's avatar

    Charcoal Marketing

    112 posts

    Thanks Dan, I’d really appreciate some help from the SafeCracker devs.

    The extension you provided looks good, but we’re trying to allow users to embed code from any site, and just need them to be able to paste the iframe into a text box and have it display as is.

    I can send you a link to the site in question if that helps.

  • #7 / Apr 24, 2012 3:50pm

    Dan Decker

    7338 posts

    Hi Kyle,

    I have a solution for you!

    It’s not elegant, but if you aren’t afraid to open a PHP file, I can get you fixed up.

    Open /system/expressionengine/modules/safecracker/libraries/safecracker_lib.php and find line 2569

    Change this:

    $this->skip_xss_fieldtypes = array();

    to this:

    $this->skip_xss_fieldtypes = array(’textarea');

    Now, this comes with some caveats, so beware. This opens any textarea in a SafeCracker form to allow pretty much anything to be posted. What you are doing here is taking textarea field types out of the XSS Clean process, so it won’t be sanitized to make sure it has originated with your site.

    Since this is a controlled access form anyway, it shouldn’t be a problem for you, but I wanted you to be aware of the impact.

    If you have any questions, just ask!

    Cheers,

  • #8 / Apr 24, 2012 4:44pm

    Charcoal Marketing's avatar

    Charcoal Marketing

    112 posts

    Works like a charm. Thanks so much for researching the fix! And yes, this form is hidden behind a member login anyways, so security is not as much of an issue.

  • #9 / Apr 25, 2012 5:28pm

    Dan Decker

    7338 posts

    Hi Kyle!

    Excellent! I’m glad we were able to help. Be sure to keep this handy, as it will not persist through updates. You’ll need to make the change after each update to ExpressionEngine.

    If you have any other questions, feel free to open a new thread!

    Cheers!

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases