Mango Blog Forums : Mango Forums : General : Two mango blogs; same tinymce config; one strips Flash embeds, the other doesn't?

Forums home | Profile | Search | Login | RSS

Thread: Two mango blogs; same tinymce config; one strips Flash embeds, the other doesn't?

Created on: 02/17/10 01:37 PM

New topic Reply

Page: 1

Replies: 3

cascadian

Joined: 07/15/09
Posts: 38
02/17/10 1:37 PM

This is so strange...

I have two Mango blog instances, each on a different server, both running the same version of Mango (1.4). I believe each server is running CF9. The two admin/editorSettings.cfm files are exactly the same.

Now when I edit a post in each one, and use the media plugin to insert the same Flash video, one of the blogs inserts and saves the Flash object no problem, the other appears to insert it fine until you submit the post and then the Flash object is stripped out and replaced with a <span></span>

The problem blog's post page shows no errors in Firefox's console.

Mango's log viewer shows no errors on either blog.

TinyMCE's changelog.txt file says that it is v3.2.1.1 (for both of the blogs)

I've checked permissions, added an extended_valid_elements to the tinyMCE init that includes the object and embed tags, and am running out of ideas.

cas

Link | Top | Bottom

cascadian

Joined: 07/15/09
Posts: 38
08/05/10 1:14 PM

I think I've gotten to the bottom of this.

It appears that the problem whereby Flash videos cannot be embedded into a Mangoblog post or page due to the tags being killed on save (or turned into an InvalidTag) is likely due to a ColdFusion setting on the server: scriptProtect aka Enable Global Script Protection setting. This setting would result in ColdFusion quashing the following tags in any Mango blog post:
object, embed, script, applet and meta.

This is consistent with the behavior being tied to particular servers regardless of the tinyMCE settings in each Mangoblog.

http://tinymce.moxiecode.com/punbb/viewtopic.php?id=10975

cas

Link | Top | Bottom

cascadian

Joined: 07/15/09
Posts: 38
08/13/10 11:42 AM

Does changing the scriptProtect setting to not include forms in Mango's Application.cfc create a security vulnerability for Mango blog due to the admin login screen being a form?

cas

Link | Top | Bottom

Laura
Wizard

Joined: 01/29/05
Posts: 1523
09/02/10 3:19 PM

Hi cas,
The biggest issue with forms is when what you enter there (or via url) is output to the page, unescaped. I've closed an xss issue in the search, and I believe there are no issues in the admin, although it would be good to make sure that is true.
This is a good read about scriptProtect: http://www.12robots.com/index.cfm/2010/3/1/A-warning-about-ColdFusions-scriptProtect
And you have to decide what you prefer, either you let people enter <script>, <embed> etc or you don't. If you want them to do so, scriptProtect has to be disabled.
It could be possible to use this http://portcullis.riaforge.org/ as a plugin, but I would only enable it in the main blog, and not the admin, since you do want admins to be able to enter those tags. The other solution is to use a plugin such as the YouTube plugin where you don't actually enter the <embed> code but only something like: [youtube videoId] and then it gets replaced by the right html.

Link | Top | Bottom

New Post

Please login to post a response.

Replies: 3
cascadian Joined: 07/15/09 Posts: 38	02/17/10 1:37 PM This is so strange... I have two Mango blog instances, each on a different server, both running the same version of Mango (1.4). I believe each server is running CF9. The two admin/editorSettings.cfm files are exactly the same. Now when I edit a post in each one, and use the media plugin to insert the same Flash video, one of the blogs inserts and saves the Flash object no problem, the other appears to insert it fine until you submit the post and then the Flash object is stripped out and replaced with a <span></span> The problem blog's post page shows no errors in Firefox's console. Mango's log viewer shows no errors on either blog. TinyMCE's changelog.txt file says that it is v3.2.1.1 (for both of the blogs) I've checked permissions, added an extended_valid_elements to the tinyMCE init that includes the object and embed tags, and am running out of ideas. cas
	Link \| Top \| Bottom
cascadian Joined: 07/15/09 Posts: 38	08/05/10 1:14 PM I think I've gotten to the bottom of this. It appears that the problem whereby Flash videos cannot be embedded into a Mangoblog post or page due to the tags being killed on save (or turned into an InvalidTag) is likely due to a ColdFusion setting on the server: scriptProtect aka Enable Global Script Protection setting. This setting would result in ColdFusion quashing the following tags in any Mango blog post: object, embed, script, applet and meta. This is consistent with the behavior being tied to particular servers regardless of the tinyMCE settings in each Mangoblog. http://tinymce.moxiecode.com/punbb/viewtopic.php?id=10975 cas
	Link \| Top \| Bottom
cascadian Joined: 07/15/09 Posts: 38	08/13/10 11:42 AM Does changing the scriptProtect setting to not include forms in Mango's Application.cfc create a security vulnerability for Mango blog due to the admin login screen being a form? cas
	Link \| Top \| Bottom
Laura Wizard Joined: 01/29/05 Posts: 1523	09/02/10 3:19 PM Hi cas, The biggest issue with forms is when what you enter there (or via url) is output to the page, unescaped. I've closed an xss issue in the search, and I believe there are no issues in the admin, although it would be good to make sure that is true. This is a good read about scriptProtect: http://www.12robots.com/index.cfm/2010/3/1/A-warning-about-ColdFusions-scriptProtect And you have to decide what you prefer, either you let people enter <script>, <embed> etc or you don't. If you want them to do so, scriptProtect has to be disabled. It could be possible to use this http://portcullis.riaforge.org/ as a plugin, but I would only enable it in the main blog, and not the admin, since you do want admins to be able to enter those tags. The other solution is to use a plugin such as the YouTube plugin where you don't actually enter the <embed> code but only something like: [youtube videoId] and then it gets replaced by the right html.
	Link \| Top \| Bottom