I'm using attempting to add an "onclick" object to a page in a singlesite (i.e. rather than multisite) WordPress that triggers an event. The code is:
Send a voice message
When attempting to save the code, WordPress strips the onclick object leaving:
Send a voice message
A user on another forum suggested that this restriction should only apply to multisite non-superadmin users. Again, this is a siglesite with only one admin user.
It is understood that WordPress removes "onclick" from HTML to prevent malicious code. Still, does anyone know how to resolve this?
Thanks.
It appears that with current Wordpress (I'm on 4.9.4), TinyMCE does the filtering directly on the editor screen, not when the form is submitted. The allowedtags and allowedposttags don't seem to matter, so the solution above does not solve the problem for me.
The method I have developed uses the tiny_mce_before_init filter to alter the allowed tags within TinyMCE. The trick is to add the extended_valid_elements setting with the updated versions of the elements allowed for a.
First, look in the page http://archive.tinymce.com/wiki.php/Configuration3x:valid_elements to find the current value for a, which right now is
a[rel|rev|charset|hreflang|tabindex|accesskey|type|name|href|target|title|class|onfocus|onblur]
And add to the end of that the onclick attribute:
a[rel|rev|charset|hreflang|tabindex|accesskey|type|name|href|target|title|class|onfocus|onblur|onclick]
Then use that in the filter function like this:
function allow_button_onclick_mce($settings) {
$settings['extended_valid_elements'] = "a[rel|rev|charset|hreflang|tabindex|accesskey|type|name|href|target|title|class|onfocus|onblur|onclick]";
return $settings;
}
add_filter('tiny_mce_before_init', 'allow_button_onclick_mce');
which you install in your functions.php file in Wordpress. You can see it in action by toggling the text and visual view on the edit page. Without the extended list, the onclick goes away. With it, it remains.
You can solve this by changing the anchor tag into button and adding a script. For more info please refer to this link: Wordpress TinyMCE Strips OnClick & OnChange (need jQuery).
By resolving, I'm assuming you mean to allow the onclick attribute. You will want to be careful with this, because modifying the allowed tags does this for all your users.
You can modify the list of allowed tags and attributes, by adding this to your functions.php file:
function allow_onclick_content() {
global $allowedposttags, $allowedtags;
$newattribute = "onclick";
$allowedposttags["a"][$newattribute] = true;
$allowedtags["a"][$newattribute] = true; //unnecessary?
}
add_action( 'init', 'allow_onclick_content' );
I suggest trying it with only $allowedposttags first to see if that works for you. According to this other stackexchange post, you should only need allowedtags if you need it for comments or possibly non-logged-in users, but when I did something similar in the past, I needed both of them to work.
On a side note, if you want a list of all already allowed tags and attributes, look inside your /wp-includes/kses.php file.
Related
I have a blog written in Python + Django.
Before I started use of WYSIWYG editor, to create a blog post preview I manually added custom html tag <post_cut/> and used python slice to show only a preview. It allowed to avoid issues with fixed length for preview or breaking html tags.
Now I added Django-CKEditor and it removes all html tags which "it doesn't understand".
I tried to do something with configuration (allowedContentRules, format_tags and etc.) but no success.
The questions is how to manage "post-cut" and how to do this using CKEditor.
P.S. it would be awesome also to have button for that.
Found the answer by myself.
You need to use extraAllowedContent if you want to add some extra tags.
Also found how to add custom button by creating a custom plugin.
But still looking for good solution that will utilize django-ckeditor
CKEDITOR_CONFIGS = {
'default': {
'extraAllowedContent': {
'post_cut': True,
},
# ...
# (other options)
}
}
I have a Chrome extension, and a Chrome app. I need inline install for both of them on the same domain.
As per Googles instructions (for one inline install) I add the header link tag:
<link rel="chrome-webstore-item" href="https://chrome.google.com/webstore/detail/itemID">
Then add the onclick function in the body:
<button onclick="chrome.webstore.install()" id="install-button">Add to Chrome</button>
<script>
if (chrome.app.isInstalled) {
document.getElementById('install-button').style.display = 'none';
}
</script>
What I need to know is how to add two instances. One for the extension, and one for the app. Do I add two link tags in the header, then edit the onclick function?
This is what Google says to do for multiple instances, but I don't understand where to edit the onclick function to differentiate between the two.
To actually begin inline installation, the
chrome.webstore.install(url, successCallback, failureCallback)
function must be called. This function can only be called in response
to a user gesture, for example within a click event handler; an
exception will be thrown if it is not. The function can have the
following parameters:
url (optional string) If you have more than one tag on your
page with the chrome-webstore-item relation, you can choose which item
you'd like to install by passing in its URL here. If it is omitted,
then the first (or only) link will be used. An exception will be
thrown if the passed in URL does not exist on the page.
successCallback (optional function) This function is invoked when
inline installation successfully completes (after the dialog is shown
and the user agrees to add the item to Chrome). You may wish to use
this to hide the user interface element that prompted the user to
install the app or extension.
failureCallback (optional function) This
function is invoked when inline installation does not successfully
complete. Possible reasons for this include the user canceling the
dialog, the linked item not being found in the store, or the install
being initiated from a non-verified site. The callback is given a
failure detail string as a parameter. You may wish to inspect or log
that string for debugging purposes, but you should not rely on
specific strings being passed back.
I currently have one link tag in my header for the extension. I need to add another inline installation, on a different page, same domain, but this second onclick code needs to be different so it doesn't refer to the existing link tag in my header.
Many thanks.
<link rel="chrome-webstore-item" href="https://chrome.google.com/webstore/detail/itemID1">
<link rel="chrome-webstore-item" href="https://chrome.google.com/webstore/detail/itemID2">
<button onclick="chrome.webstore.install('https://chrome.google.com/webstore/detail/itemID1')" id="install-button-1">Add App to Chrome</button>
<button onclick="chrome.webstore.install('https://chrome.google.com/webstore/detail/itemID2')" id="install-button-2">Add Extension to Chrome</button>
The very same docs page shows a method for the extensions.
Basically, your extension can inject a <div id="somethingYouExpect"> into the DOM, and the page's script can detect that.
It's a bit clunky though: I was trying to get it to work for test code and didn't manage to do so in a good way, as content scripts are injected either before DOM is constructed at all or after document ready fires. You can bypass that with mutation observers, but meh and your button will be visible for a split second.
You can save yourself some pain, if you're just hiding an element, by injecting a css file hiding it. Or, you can hide the elements from injected code. Either way is somewhat layout-sensitive though.
If you HAVE to be layout-independent and at the same time want something more complex than element hiding, either go the (div inject + mutation observer) route or you can try window.postMessage approach to signal the page to hide the element.
Step by step guide for the extension / CSS variant.
Suppose your extension install UI is contained in an element with id extension-install.
Add a content script to the manifest file:
"content_scripts": [
{
"matches": ["*://yourdomain/*"],
"css": ["iaminstalled.css"],
"run_at": "document_start"
}
],
The CSS:
#extension-install {
display: none !important;
}
So, to recap:
To allow installs of both the app and the extension, you need two <link> tags in the head
To install either you pass the url parameter to chrome.webstore.install
If the app is installed, it will define chrome.app.isInstalled in the page's context. You can check for it from the page to hide the install button.
If the extension is installed, it can inject CSS/JS into page to hide the install button.
Basicly what I want to do is to change the stylesheet when the user selects the one they whant from a select box. To do that there would be a variable called $_SESSION['style']. What's the best way to change the variable when clicking it from the select box? (without clicking a submit button). Is it possible to change the stylesheet without reloading the whole page?
Thanksss! :)
Yes you can dynamically inject a CSS file when the select box is updated.
<select onchange="changecss(this.value);">
...
</select>
<script>
function changecss(value){
//based on the value, pick a style sheet here
var cssname='pick your own css file';
csl=document.createElement('link');
csl.setAttribute('rel','stylesheet');
csl.setAttribute('type','text/css');
csl.setAttribute('href',cssname);
document.getElementsByTagName("head").item(0).appendChild(csl);
}
</script>
Edit:
I have seen code that directly change the src value of the current css inclusion. This doesn't not work in some versions of IE, because the browser is not "notified" of a DOM change, and your page is therefore unaffected. Inserting new CSS node in the DOM works more reliably.
With this Ajax wrapper you can dynamically load the CSS file in one line:
<script src="http://www.antradar.com/nano.js"></script>
<script>
ajxcss(self.cssloader,'newcss.css');
</script>
Since PHP is a server-side language that cannot update the data in the user's browser (no "push"), you need a client-side script for the change of the stylesheet without having to reload the page. Changing the stylesheet is possible with javascript. Because your stylesheet filename is stored in a (server-side) session variable, you've got 2 options:
Render the filename into the site (e.g. by echoing it into the javascript code as a variable), so that it can be used by the client side script.
Use an ajax call from the client side script, to get the filename from a PHP script ("pull"), that ouputs the session variable.
However, this might be too much overhead*. Maybe you should consider hardcoding the stylesheet filename into the javascript.
*) if you are using a javascript framework like jQuery or MooTools such things can be implemented easily...
Edit: I just recognized, that you've got a selectbox of items. In this case you surely want to go with the first option: Create the selectbox via PHP and for example use the filenames of the stylesheets as the values. You can than use javascript to change the stylesheet when a onSelectedIndexChanged happens.
I have created a custom skin for my mediawiki that is based on vector. I already have the VIEWS tab at the top that shows the Article, Edit, History and Action. Apart from this tab, I am trying to add a new "Edit this Article" button to show at the top right hand corner of the page. I dont know how to add the edit url to this button. At the moment, I have hard coded it like this:
<a class="edit_article_button" href="?action=edit" title="Edit This Article">Edit Article</a>
The above hard coded method is no good and it doesnt work properly on all pages. It also it is not compatible when I change the Edit buttons to Edit with form buttons for Semantic Form extension. Is there like a way to add a default link to this edit button that works for that relevant mediawiki article? When I had a look at the skin, the edit button is shown as part of the renderNavigation function which is no good since it shows all the lists including History, etc..:
<?php $this->renderNavigation( array( 'VIEWS' ) ); ?>
This is where I am having trouble with and unable to find info on how to do it. Can someone help me on how I can create a separate Edit article button?
EDIT & PROGRESS UPDATE:
Alright... Here is an update on how I was able to add it. I added the following to the renderNavigation function and it works:
case 'EDIT':
$navTemp = $this->data['content_actions']['edit'];
if ($navTemp) { ?>
<?php echo $navTemp['text']; ?>
<?php }
break;
and I am calling it using this inside the html template:
<?php $this->renderNavigation( array('EDIT')); ?>
I also added the css for the "custom_edit_button" to style the button further.
Next hurdle when using Semantic Form: Although the above method works, what happens is it shows the Edit source button instead of Edit with Form button. I actually want it to show the "Edit with Form" option when there is a form present in that article instead of edit source option. I already have this in LocalSettings.php
//The following settings are to edit the edit with form options and removing the default edit option.
$sfgRenameEditTabs = true;
$wgGroupPermissions['*']['viewedittab'] = false; // Hiding the regular edit tab for all users
$wgGroupPermissions['sysop']['viewedittab'] = true; //Showing the regular edit tab (renamed to edit source) to sysops only.
Now, how can I change the above php code so it links to "Edit with form" page when there is a form present?
https://www.mediawiki.org/wiki/Extension:Semantic_Forms/The_%22edit_with_form%22_tab has lots of information on how to make the edit tab appear as you want it.
Still, it looks like the SemanticForms extension is using the SkinTemplateNavigation hook which is called in SkinTemplate::buildContentNavigationUrls(), so make sure you aren't overriding that function.
That title is probably a bit confusing so let me elaborate.
I'm using HTML_purifier to clean up user input, although in this case the only user who will be using it will be myself (its in password protected folders). A long story short I would like to be able to add in image tag code to a web form, then on the page that it sends too use the code to display said image.
However i need the image tag to have css attributes added to it, one of which is
display:block
Anyway by default HTML_purifier removes this, detailed here because of the CSS.allowTricky option. As i understand it if you set the CSS.allowTricky option to True, then it should allow
display:block
However after doing this its still removing it, just wondering if anybody has done this before as i can't find much documentation about it on the web? Its not generating any errors in syslog, so im assuming that its the correct implementation but isn't working as expected.
My code at the moment.
include('HTMLPurifier.standalone.php');
$config = HTMLPurifier_Config::createDefault();
$config->set('CSS.AllowTricky', true);
* UPDATE **
The code should pass the config object (which the code already set) to the html purifier object. Putting it together it should look something like this.
include('HTMLPurifier.standalone.php');
$config = HTMLPurifier_Config::createDefault();
$config->set('CSS.AllowTricky', true);
$purifier = new HTMLPurifier($config);
Duplicate of http://htmlpurifier.org/phorum/read.php?3,6724 (solution was passing the config object to the HTML Purifier object so that the config actually got applied.)