Joomla Tutorials and Blog Posts

Stop Joomla From Stripping Out Code

November 23, 2011 | Joomla Tutorials | Written by Steve Burge
tutuploadsmedia_1322076061924.png

Code can be dangerous. The right code in the right place brings your site to life, but there are many places where it can be a huge security risk.

Inside your content, code can be dangerous. If you allow people to use PHP, Javascript, iframes or other code inside content, you greatly increase the chances of a malicious script being used.

To minimize this risk, by default Joomla restricts the code you can use in content. Drupal does exactly the same thing and you can read the solution for Drupal by clicking here.

The downside to this is that some common code isn't allowed. For example, YouTube and Google Maps embed code aren't allowed. This tutorial will show you allow such code on your site by stopping Joomla from stripping it out.

Example

tutuploadsmedia_1322073440227.png

Here's a Google Maps example. Normally you'd click Toggle Editor and past the code directly into the editor. However, if you now click Save & Close, your article will look like the image below. The map won't show.

tutuploadsmedia_1322073471826.png

That's the problem. Here's the solution.

Step 1: Turn off Filtering

Go to Site > Global Configuration > Text Filters.

j25textfilters

If you want to disable code filtering for yourself, set Super Users to No Filtering. You can also disable filtering for other levels, but do so carefully, particularly for Registered users who you might not trust as much.

 

tutuploadsmedia_1322073584195.png

 

Click Save & Close.

Step 2: Turn off the TinyMCE Editor

tutuploadsmedia_1322074448991.png

Go to Site > Global Configuration.

tutuploadsmedia_1322074470899.png

Set Default Editor to Editor - None. Click Save & Close.

tutuploadsmedia_1322074495563.png

Now you can go to your article and safely paste in the code. It will appear as in the image below.

tutuploadsmedia_1322074563670.png

Longer Term Solutions

Over the long term this is a cumbersome solution partly because Step 2 requires you to constantly go back and forth, turning the editor on and off. It also makes it harder to edit the article again in the future.

One solution is to use a better editor than TinyMCE which is the Joomla default. JCE from http://www.joomlacontenteditor.net is free and substantially better.

tutuploadsmedia_1322075746835.png

Also recommended are two extensions from http://www.nonumber.nl.

Sourcerer allows you to place any code inside your content with the editor still turned on. It's avaiable from http://www.nonumber.nl/extensions/sourcerer.

tutuploadsmedia_1322075847740.png

Snippets allows you to enter the code once and then create a reusable text snippet that can be easily placed inside any article. We use it on this site to safely embed the code for our ticket sales. Snippets can be downloaded from http://www.nonumber.nl/extensions/snippets.

tutuploadsmedia_1322075947706.png
tutuploadsmedia_1322076061924.png

Comments

 
safe77
#1 safe77 2012-01-21 10:58

I have followed the instructions 1 and doesn't show google map in article/ conact.
View large map
Is the above suggestions for joomla 1.7?
thx
 
 
Nick
#2 Nick 2012-01-21 20:28

Hi safe77,

Yes, it's for Joomla 1.7. What version are you using?

Kind regards,
Nick
 
 
safe77
#3 safe77 2012-01-21 20:47

Hi,
joomla 1.7.3, I tried with TinyMCE Editor and with Jce editor.
Made all the setting required like remove "iframe" is forbidden from the list. or make sure I am white list or filtering off ect but still stripping the code. Also tried to Set Default Editor to Editor - None, but no luck

I really appreciate your propmt reply,

Regards
safe77
 
 
Nick
#4 Nick 2012-01-21 20:59

Hi Safe77,

Go to Article Manager >> options >> filtering >> turn off filtering for super users.

Kind regards,
Nick
 
 
safe77
#5 safe77 2012-01-21 21:27

Hi Nick,
I have done that too!
I tried with TinyMCE Editor :
- In Article Manager option >> Text Filters >> Super Users : Not Filtering
- In Extentions >> Plug-in Manager >> Editor TinyMce >> Basic options Prohibited Elements : cancelled iframe from the list.
Still not working.

After I tried/switched to Jce editor :
In the JCE Control Panel, >> Editor Plugin Parameters >> Default ( in my case) >> Media Support : Allow IFrames is set yes.

Am I missing something?
 
 
Nick
#6 Nick 2012-01-23 00:41

Did you try with the editor set to "no editor" and filtering disabled in article manager options?

Kind regards,
Nick
 
 
safe77
#7 safe77 2012-01-23 10:01

Hi,
I did try also editor set to "no editor" and filtering disabled in article manager options but still not keeping iframe.
I just want to add a google map in to contact form, not other iframe.
Thx
 
 
Nick
#8 Nick 2012-01-23 20:35

Hi safe77,

We would love to get into a discussion with you on this. If you are a student at OSTraining.com, please log into the support forum (www.ostraining.com/.../) and post the question in there, so that one of our support techs can look into it for you. If you’re not a student, I hope you’ll consider becoming one, so that we can give you the attention you deserve. You can find out more about our online class at www.ostraining.com/online

Kind regards,
Nick
 
 
digioz
#9 digioz 2012-01-24 22:54

I just wanted to add that in Joomla 2.5 which was just released the "No Filters" options have actually moved to "Global Settings" section, in case anyone is looking for it there.

Thanks,
Pete
 
 
Nick
#10 Nick 2012-01-25 02:09

Thanks for the info, Pete! :)

Kind regards,
Nick
 
 
KILLSHOT707
#11 KILLSHOT707 2012-02-01 00:22

Yep same here.I have tried everything and still just codes show up.
 
 
Nick
#12 Nick 2012-02-01 05:03

Hi Pete,

We've now updated it :)

Kind regards,
Nick
 
 
Nick
#13 Nick 2012-02-01 05:05

Hi KILLSHOT707,

If you are a student at OSTraining.com, please log into the support forum (www.ostraining.com/.../) and post the question in there, so that one of our support techs can look into it for you.

Kind regards,
Nick
 
 
Wendy
#14 Wendy 2012-05-01 16:12

You can actually go into the "Editor - TinyMCE" plug in (click on it in Plug-in Manager) under the Extensions menu and, under Basic Options, erase "iframe" from the Prohibited Elements list. Worked for me anyway (J1.7) after lots of accidental erasures.
 
 
Guest
#15 Guest 2012-10-20 15:39

is it safe to completely disable tinymce plugin in Joomla 2.5?
 
 
Marko Jones
#16 Marko Jones 2013-01-19 20:21

This saved me a ton of grief. Thank you!
 
 
ddriskell
#17 ddriskell 2013-03-01 04:25

I'm having a code problem with all the "'s (quotes) in my html getting preceded with a / when I save. I have no filtering set and have tried TinyMCE, Code Editor and No Editor. Actually TinyMCE puts an ampersand-quot; instead of the slash. Oddly I can insert html on my LAMP test server and it remains intact but not so on the webhost. I can backup the test server with Akeeba and restore it on the webhost as a work around but it's not a good solution. I'm using Joomla 3.2. Any ideas?

Thanks, Doug
 
 
ddriskell
#18 ddriskell 2013-03-13 03:24

Ok, I found the problem. It was magic_quotes_gp c. It needs to be set to magic_quotes_gp c = off in the php.ini file. My web host had an option in the cPanel to edit the global php.ini file. Otherwise you can have local php.ini files in the root and administrator folders with that line. The Joomla setup also complains if you don't have register_global s = off and display_errors = off in your php.ini files.
 

Add comment


Security code
Refresh

blog-ad

Start Online Training

Members get access to all our video training. That's 1,142 training sessions in Joomla, Drupal, WordPress and Coding.

Manage All Your Joomla Sites

adminicredible

With Admincredible you can update and manage all your Joomla sites. If you have 5 or 500 sites, Admincredible will make your life easier! Visit Admincredible.com.

Latest Blog Posts and Tutorials

Blog Categories

Latest Comments

The License for Our Tutorials

All of our tutorials are published under the Creative Commons Attribution-NonCommercial license. This means:

  • You can re-use these tutorials.
  • You can modify these tutorials.
  • You must link back to our original tutorial.
  • You can't use these tutorials commercially.

Click here to read the full license.



Contact Us

Phone: (+1) 678-830-2168

Email: support@ostraining.com

followusfacebookfollowtwitterfollowgoogle+


Open Source Training is not affiliated with or endorsed by the Joomla, WordPress or Drupal projects.
All product names and trademarks are the property of their respective owners.

Copyright 2013 Open Source Training, LLC. All rights reserved.