I am working on a site that uses a TinyMCE Editor to allow users to add and write their own content.
Anyway, all seems okay until they try to embed a video using an <iframe> as when the form is submitted Google Chrome takes this code as malicious script and blocks the page from running, a refresh does by-pass this.
In my headers I could change X-XSS-Protection: 1; mode=block to just not block XSS but this seems slightly insecure and not much of a solution.
Is there a way to white list such things for TinyMCE Editors?
Essentially how does WordPress and the like get around this?
Related
How I can embed a website in my magic mirror display as I am really facing issues doing so or finding the right way to do it. The modules proposed on magicmirror.builders didn't work much for me. (iframe, etc.)
If you mean that your site cannot be embedded using iframe modules of MagicMirror, it's because some sites cannot be embedded by iframe.
There are several reasons, one of that is HTTP response header X-Frame-Options: DENY by the site makes iframe disable. This is needed for the internet security.
For MagicMirror usage, using WebView instead of iframe may resolve the problem.
I created the module.
https://github.com/Iketaki/MMM-WebView
I'm writing an extremely simple extension which applies some CSS to facebook's root, i.e: http://www.facebook.com/ only. When the user navigates to another page the CSS should not be applied, however it appears that the file is cached and applies to all other pages until a full refresh (F5, etc) is pressed, rendering the extension useless.
Would there be a simple solution to prevent caching for a particular page - or - some javascript to run such as window.reload? This may be a facebook particular issue.
The Google Chrome extension never cache css. Actually, Facebook use Ajax call to update its content. So most of the time you are on the same page with a different content.
The best way to have a local change is to use javascript script with "document_end" injection. You can use DOM events to detect changes.
The setup: I have a Blogger blog set up on a domain name as blog.mydomain.com. The main site site at mydomain.com is running Umbraco CMS.
The problem: I need to have the navigation from the CMS transported to Blogger somehow, so that making a change on the main website doesn't require the extra step of modifying the navigation inside Blogger.
Generating the navigation data on the CMS side in what ever format it needs to be (XML, unordered list, JSON, etc) is not a problem. The problem is getting the data from Umbraco to Blogger after it is generated.
I'm not yet willing to use Javascript, as this would seriously impair the website for users browsing without Javascript. (Too bad because AJAX would be a very workable solution.)
I've tossed around the idea of using an iFrame. How would this work for a navigation system including sub-menus? Creating and deleting multiple iframes is out of the picture, since I don't want to use Javascript. I could use one large iframe to allow for the sub-menus, but then it would cover content at the top of the content area, rendering it unclickable.
I'm thinking about how you could do this, but while I do - in this day-and-age javascript has become very common. Most users are going to have it, and those with it disabled really shouldn't be on the web. Is this the only reason you don't want to use javascript? Around 2% according to YDN have js disabled, and that's lower from other countries. As time goes on that 2% should get lower, I don't see that as an issue. However if you absolutely can't use javascript, I'll keep thinking. I might have an idea, I'll need to test it though.
It's not possible to use IFrame, cause of same origin policy. Both sites are on different domains, when user click menu item inside IFrame, there is no way to call parent window.
There are few ways how this can be done.
1) Javascript solution. Use json rpc, or another cross-domain calls. Load menu from your CMS and render it. Yes, this requires javsascript, but, seriously, show me the site, which does not use javascript.
2) Direct server communication.
Is it possible to perform http call from blogger ? If so, just perform http call to your CMS from Blogger, get data and render it.
3) Mixed flash/javascript solution. Flash can perform http call regardless of same origin policy. Get data with flash, use ExternalInterface to call Javascript function to render data.
There is no another way to do it. I suggest you to use javascript solution
You could build an HTML skeleton of empty ULs in Blogger (the max that you might need) to hold your navigation contents, and then link to an Umbraco-generated external stylesheet.
This stylesheet could fill those LIs with CSS generated content using the :before and :after pseudo-elements, and hiding unused LIs with CSS display: none.
An example of this is at: http://jsfiddle.net/5bXja/1/
This works in IE8+ so depending on your clients, this may-or-may-not be more widely supported than Javascript. Likely not. ;-)
I would like to create a browser plugin/extension that would allow the browser to read contents of a cross-domain iframe. I understand that this isn't possible with javascript, but perhaps someone could point me in the right direction of how to create a plugin that users could install. A cross-browser solution would be ideal.
Specifically, I am creating helpful navigation utility, and I want to know the url of the iframe so that I can prevent the iframe from navigating to any questionable sites accidentally. I would also like to detect the size of the contents.
Thanks in advance.
Option 1: file_get_contents:
What you can try is to get the contents from the page by the PHP function file_get_contents, load the CSS files and get the contents and the size of the page.
Option 2: Headers:
You can start here: http://www.senocular.com/pub/adobe/crossdomain/policyfiles.html
See the "allow-access-from" section where you can allow domains to be accessed cross domain when they have specific headers.
Userscripts have cross-domain XMLHttpRequest, and they will even run on all browsers. They (or at least Kango's Content Scripts) have the ability to write and read stored values for cross-window communication.
hi i am using joomla 1.5 for my site.
in this i fetched the problem of tinymce editor when i clicked on any article the image button are not shown. when i clicked on edit html source button It showing only “{$lang_theme_code_title}” on the Title bar and all body is blank.
so plz help me to resolved out from this problem.
thanks in advance
You should consider trying the JCE editor instead of trying to debug Tinymce. I'm running JCE error free on over 40 sites. It has a superior image manager, link manager, and code view. It installs easily and is highly configurable. The only caveat is that you should disable the Joomla insert image, page break, and read more buttons as JCE has those built in.
http://extensions.joomla.org/extensions/edition/editors/88
See this thread:
http://forum.joomla.org/viewtopic.php?t=62545
Try adding www. to your domain. Most often this is the problem.
I searched joomla project for vars $lang_theme_code_title... and related... There are not. Looked at Tinymce editor, it has javascript driven language file...
Most likely problem is cause by JavaScript. Try using different browser (firefox or chrome).
I read info on some other forums, some claim that temporarily disabling the antivirus solved the problem. I don't think that this will work, but you can try.
If none of this helps, you will need to give more information. Load firefox with firebug and see the NET tab for JavaScript files and Ajax Requests, most likely you'll find something interesting there (i think 500 Error)