Make WordPress Core

Opened 7 years ago

Closed 6 years ago

Last modified 6 years ago

#9874 closed enhancement (wontfix)

extended and invalid elements for tinymce

Reported by: Denis-de-Bernardy Owned by: azaozz
Milestone: Priority: normal
Severity: normal Version: 2.8
Component: TinyMCE Keywords:
Focuses: Cc:


I've this code, which currently resides in a plugin:

add_filter('tiny_mce_before_init', array('sem_fixes', 'tiny_mce_config'));
function tiny_mce_config($o) {
	# http://forum.semiologic.com/discussion/4807/iframe-code-disappears-switching-visualhtml/
	# http://wiki.moxiecode.com/index.php/TinyMCE:Configuration/valid_elements#Full_XHTML_rule_set
	# assume the stuff below is properly set if they exist already
	if ( current_user_can('unfiltered_html') )
		if ( !isset($o['extended_valid_elements']) )
			$elts = array();
			$elts[] = "iframe[align<bottom?left?middle?right?top|class|frameborder|height|id"
				. "|longdesc|marginheight|marginwidth|name|scrolling<auto?no?yes|src|style"
				. "|title|width]";

			$elts = implode(',', $elts);

			$o['extended_valid_elements'] = $elts;
		if ( !isset($o['invalid_elements']) )
			$elts = array();

			$elts[] = "iframe";
			$elts[] = "script";
			$elts[] = "form";
			$elts[] = "input";
			$elts[] = "button";
			$elts[] = "textarea";

			$elts = implode(',', $elts);

			$o['invalid_elements'] = $elts;
	return $o;
} # tiny_mce_config()

basically, users were complaining about being enable to insert an iframe in TinyMCE -- among many other things. shouldn't the above two be default settings?

if so, just let me know and I'll write the patch. if not, please close as invalid/wontfix.

Change History (4)

#1 @azaozz
7 years ago

Many users copy and paste content from web pages and that usually inserts a number of html tags and styling without them realizing it (depending on the browser). Since the <iframe> has some security risks, better to enable it only for users that require it (via a plugin).

Also <iframe> is invalid in both HTML 4.1 Strict and XHTML 1.0 Strict and many themes use the strict DTD.

We can match the restrictions from kses in invalid_elements for non-admin users, although it would probably bring some "the editor mangles my code" complains.

#2 @azaozz
7 years ago

  • Milestone changed from 2.8 to Future Release
  • Type changed from defect (bug) to enhancement

#3 @azaozz
6 years ago

  • Resolution set to wontfix
  • Status changed from new to closed

Seems plugin material.

#4 @westi
6 years ago

  • Milestone Future Release deleted
Note: See TracTickets for help on using tickets.