Support

Admin Tools

#9805 Embed Code Injection Problem

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Saturday, 26 March 2011 06:54 CDT

Saturday, 26 March 2011 06:16 CDT

user10128
Hi,
I have switched my host and was trying to do many things at the same time and I am stuck with this issue. I am using a CCK's text area field to input books Embed Code from scribd, and it was working until now.
Recently after the host change and upgrade to Admin Tools 2.0.2, I am facing this issue that this embed code strips out while saving. I am not sure if this is related with Admin Tools or host change or what.

I did try to switch off the protection on WAF one by one but it didn't solve the issue. I am not sure if .htaccess file can be a culprit.

If there's any where Admin Tools settings can be a problem, please help else I can look for some other solution.

Thanks,
Shakir

Saturday, 26 March 2011 06:18 CDT

nicholas
That's normal Joomla! behaviour ever since Joomla! 1.5.10. You can't insert embed or script tags in Joomla!'s articles. They are automatically stripped away by the system's HTML filter.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 26 March 2011 06:48 CDT

user10128
Actually, it's normal for html editor. I am talking here TEXTAREA field. And I was able to add the same code since last three years. Haven't change anything with the TEXTAREA field though.

Saturday, 26 March 2011 06:54 CDT

nicholas
No matter what the HTML element is, it all comes down to how the underlying module/plugin/component fetches the incoming variable. If it uses the default JRequest filters, script and embed tags will be stripped away. If it explicitly tells JRequest to fetch the raw variable, without filtering, its contents will not be filtered.

Admin Tools doesn't try to sanitize incoming variables; neither WAF nor the .htaccess maker do that. If Admin Tools intercepts an incoming variable as a potential security threat it will simply block the request.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!