Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • suzyb 474 posts 932 karma points
    Feb 08, 2018 @ 20:06
    suzyb
    0

    RTE encoding < and > within iframe tag

    I'm trying to add the following piece of javascript into some RTE content (into the source code). I've set iframe, script and figure tags to be allowed in the tinyMCE.config file and the code is being added. However the < and > tags within the iframe are being encoded to &lt; and &gt;.

    The script I'm including is the following

    <figure class="op-interactive"><iframe class="no-margin"><div class="apester-media" data-media-id="5a7b2e6c62e0890001e9dcf0" height="416"></div><script async src="//static.apester.com/js/sdk/v2.0/apester-javascript-sdk.min.js"></script></iframe></figure>
    

    However once the RTE has finished with it it is this

    <figure class="op-interactive"><iframe class="no-margin">&lt;div class="apester-media" data-media-id="5a7b2e6c62e0890001e9dcf0"&gt;&lt;br /&gt;&lt;/div&gt;&lt;script async="" src="//static.apester.com/js/sdk/v2.0/apester-javascript-sdk.min.js" type="mce-no/type" data-mce-src="//static.apester.com/js/sdk/v2.0/apester-javascript-sdk.min.js"&gt;&lt;/script&gt;</iframe></figure>
    

    Does anyone know how to stop the RTE encoding the code like this?

  • Sebastiaan Janssen 5044 posts 15475 karma points MVP admin hq
    Feb 09, 2018 @ 07:40
    Sebastiaan Janssen
    0

    The RTE is meant for writing words and making them beatiful with markup. It's definitely not meant for your editors to alter the HTML of the page. :-)

    So if the people that need to write wonderful content in your site really must insert an iframe for some reason you should make sure you build a macro for them which they can insert in the middle of their prose. That should do the trick and it's a whole lot friendlier than making them open up the HTML source and trying to fiddle with it.

  • suzyb 474 posts 932 karma points
    Feb 09, 2018 @ 09:48
    suzyb
    0

    You know the RTE is for words and I know the RTE is for words but clients think the RTE is for anything they want on the page, be that text, images, video, javscript tracking code or 3rd party quizzes embedded via iframes :/

    I thought I'd have to add a macro or something but was hoping I could get away with not having to as these stupid requests always come up at the busiest possible times :(

  • Sebastiaan Janssen 5044 posts 15475 karma points MVP admin hq
    Feb 09, 2018 @ 10:31
    Sebastiaan Janssen
    1

    I haven't tried but you could probably have a macro with 1 parameter that's a textarea and they can paste all the HTML they want in it (although: hello, security vulnerability alert). That should make them happier for a while. :-)

  • Dan Diplo 1554 posts 6205 karma points MVP 5x c-trib
    Feb 09, 2018 @ 13:45
    Dan Diplo
    0

    Just to add on to what Seb says, you definitely want to use a Macro for this. It's super fast to do. Just create a macro with one parameter called html and then in your macro partial add:

    @inherits Umbraco.Web.Macros.PartialViewMacroPage
    
    @if (Model.MacroParameters["html"] != null)
    {
        var htmlCode = Model.MacroParameters["html"].ToString();
    
        if (!String.IsNullOrEmpty(htmlCode))
        {
            <!-- Embeded Code -->
            @Html.Raw(htmlCode)
            <!-- End Code -->
        }
    }
    

    As Seb says, this does give clients the ability to add arbitrary HTML code, which could include vulnerabilities, so be aware.

  • suzyb 474 posts 932 karma points
    Feb 09, 2018 @ 17:17
    suzyb
    0

    Thanks both.

    I added a macro in. We'll just need to warn the client to be careful about what they put into the textbox.

  • Peter Aderhold 30 posts 204 karma points
    Jan 01, 2020 @ 19:03
    Peter Aderhold
    0

    Just for the records:

    it should work without macro by calling the RTE string in the view with

    @Html.Raw(HttpUtility.HtmlDecode(Model.YourText))
    

    Cheers, Peter

Please Sign in or register to post replies

Write your reply to:

Draft