core icon indicating copy to clipboard operation
core copied to clipboard

Published 20 hours ago verified publisher icon contao

JS in CE Type HTML: < gets converted to entity &lt;

Open Aybee opened this issue 9 years ago • 15 comments

This input

<script>
if(1 < 2) {
  console.log('OK');
}
</script>

ends up in

<script>
if(1 &lt; 2) {
  console.log('OK');
}
</script>

This happens with and without ace.

Aybee avatar Mar 03 '16 01:03 Aybee

:point_right: forum-thread

asaage avatar Mar 03 '16 01:03 asaage

You really should not add JavaScript in the HTML element. Why don't you use a template instead?

leofeyer avatar Mar 17 '16 15:03 leofeyer

@leofeyer if you only need the JavaScript on one particular page, it would make sense to integrate it this way. Think of an external service that provides some HTML + <script>. The most direct and easy approach would be to simply integrate it via an HTML element. I don't see why that should not be possible?

fritzmg avatar Mar 19 '16 09:03 fritzmg

@leofeyer You really should not add JavaScript in the HTML element. Why don't you use a template instead?

I don't know, if I use, used or will use JS in HTML element. It's just a bug report.

Aybee avatar Mar 19 '16 09:03 Aybee

Whatever we think about adding Javascript in the HTML Element, the current implementation is at least inconsistent. Because you just have to write "if (2 > 1)" in the example above and it will work. Why should one version work but not the other one? So it's not a question of "bug" or "no bug". It's just the question which one is the bug. Is it a bug that "if (2 > 1)" works or is it a bug that "if (1 < 2)" doesn't? In general I would agree with Leo, that the real bug is to allow the use of Javascript inside the HTML element alltogether. But fixing this would probably lead to a lot of problems with existing installations, too much IMHO for a bugfix release. Maybe it would be a better idea, to fix it that way in 4.2 and make both versions of the example given above work in 3.5 - if technically possible without too much effort.

tabcontao avatar Mar 19 '16 10:03 tabcontao

In general I would agree with Leo, that the real bug is to allow the use of Javascript inside the HTML element alltogether.

I disagree with that. If you need JavaScript on a singular page (be it something that you code yourself or external resources like in the example I described) the most direct approach is to integrate it via a single content element (i.e. the HTML content element). Anything else is cumbersome.

fritzmg avatar Mar 19 '16 10:03 fritzmg

The behavior could easily be changed by replacing 'allowHtml' with 'preserveTags' here. Contao would then use Input::postRaw() instead of Input::postHtml().

But I really don't know if we should change this by default. @contao/developers What do you think?

leofeyer avatar Apr 20 '16 09:04 leofeyer

allowHtml seems to have no effect with this field. While setting this to false you can still use HTML.

We can not use preserveTags as this will not respect the allowedTags. With this setting it seems that all tags will be allowed.

Aybee avatar Apr 20 '16 13:04 Aybee

I doubt that. The preserveTags flag will preserve the tags if enabled.

leofeyer avatar Apr 20 '16 14:04 leofeyer

allowHtml seems to have no effect with this field. While setting this to false you can still use HTML.

I can confirm that. I put

$GLOBALS['TL_DCA']['tl_content']['fields']['html']['eval']['allowHtml'] = false;

into my dcaconfig.php and then created an html content element with the following content:

<div id="test">
    Lorem ipsum dolor.
</div>

I saved and closed and then edited again and the content was still there. Also the frontend showed

<div id="test">
    Lorem ipsum dolor.
</div>

as well.

fritzmg avatar Apr 20 '16 14:04 fritzmg

I doubt that. The preserveTags flag will preserve the tags if enabled.

I have tested that in 3.5.9. <script> was not in allowed tags but I was able to save the script tag in CE type HTML with preserveTags = true. Tested it again now and still can confirm this.

Aybee avatar Apr 20 '16 15:04 Aybee

As discussed in Mumble on April 21st, you should add the preserveTags flag in your dcaconfig.php instead of adding the <script> tag in the back end settings, because without preserveTags, your JS code will potentially break.

We want to add a save callback to tl_settings.allowedTags, which outputs an error message if someone tries to add <script> and tells them about preserveTags instead.

leofeyer avatar Apr 21 '16 14:04 leofeyer

Ok, so at the very right moment with preserveTags all tags are allowed, not only the allowed tags. Is this right?

Aybee avatar Apr 21 '16 14:04 Aybee

If you allow scripts, everything is allowed anyway because you can do anything. Like document.write(…)

aschempp avatar Apr 21 '16 14:04 aschempp

Sorry, zum Abschluss muss ich kurz nochmal auf Deutsch.

Leo sagte wir könnten für das Feld HTML vielleicht preserveTags verwenden. Woraufhin ich zu bedenken gab, dass dann die allowedTags nicht mehr berücksichtigt würden.

Docu: If true no HTML tags will be removed at all.

Was mich dann verwirrte war

@leofeyer - I doubt that.

Das hier

Ok, so at the very right moment with preserveTags all tags are allowed, not only the allowed tags. Is this right?

war nur nochmal eine Nachfrage zur Bestätigung, ob das, was in der Docu steht, so korrekt ist. Also es hat mich wohl das "I doubt that." irgendwie verwirrt.

Aybee avatar Apr 21 '16 14:04 Aybee