Joomla editor strips tags

2
votes

I'm trying to create a custom component in Joomla 2.5 and struggling to get it to stop it stripping all html tags out of the editor field - links, new lines, p tags - the full works. The form field is below:

<field
    name="post"
    type="editor"
    label="COM_HELLO_WORLD_EDITOR_LABEL"
    description="COM_HELLO_WORLD_EDITOR_DESC"
    class="inputbox"
    filter="JComponentHelper::filterText"
    required="true"
    default=""
/>

Clearly there are many many posts about this around both SO and Joomla forums. However they generally seem to have two clear themes.

  1. Tiny MCE Settings. I've checked after setting my default editor to "None" (i.e. just a text area) and the tags are all still stripped
  2. Joomla Text filter settings. I'm logged in as a Global Admin with the super users set to "no filtering"

I'm overriding the model's save function for this with:

function store()
{
    $row =& $this->getTable();
    $input = new JInput();
    $data = $input->getArray($_POST);

    //Sets Users id as current logged in user if not set
    if(!$data['jform']['post_user']) {
        $data['jform']['post_user']=JFactory::getUser()->id;
    }

    // Bind the form fields to the post table
    if (!$row->bind($data['jform'])) {
        $this->setError($this->_db->getErrorMsg());
        return false;
    }

    // Make sure the hello is valid
    if (!$row->check()) {
        $this->setError($this->_db->getErrorMsg());
        return false;
    }

    // Store the hello table to the database
    if (!$row->store()) {
        $this->setError($this->_db->getErrorMsg());
        return false;
    }
    return true;
}

My gut instinct is that it's to do with JInput stripping HTML tags. But even adding in the extra line into the save file $data['jform']['post']=$input->getHTML('post'); nothing happened. So I'm not really sure where to go from here. Any ideas?

UPDATE

Just to clarify an issue quickly - I want to use the preset Joomla 'Text Filter' Settings under 'Global Configuration' rather than manually setting each tag in the component!

UPDATE 2

I added filter="raw" to the editor form field. I now see the html <p> tags when I dump out the variable $_POST['jform']['post'], null, 'HTML'). However then when applying just a simple JInput Filter function - let alone applying the Joomla Config values - I'm getting null.

    $input = new JInput();
    $data = $input->getArray($_POST);
    $data['jform']['post']=$input->get($_POST['jform']['post'], null, 'HTML');

Is the sentence here "HTML - Returns a string with HTML entities and tags intact, subject to the white or black lists in the filter." describing the JInput HTML filter referring to the Global Config Text filter settings? Just to confirm?

3
joomlajoomla2.5
you don't want any filtering at all or?Marko D
Well I'd like to have the Joomla filtering system - as specified in the Text Filters area of Global Configuration. So for superadmins - no filtering. For some no html and for others selected HTML. But for me as a super admin no filtering yes.George Wilson

3 Answers

1
votes

Try something like this 

$input_options = JFilterInput::getInstance(
        array(
            'img','p','a','u','i','b','strong','span','div','ul','li','ol','h1','h2','h3','h4','h5',
            'table','tr','td','th','tbody','theader','tfooter','br'
        ),
        array(
            'src','width','height','alt','style','href','rel','target','align','valign','border','cellpading',
            'cellspacing','title','id','class'
        )
    );

    $postData = new JInput($_POST,array('filter' => $input_options));

First array it is allowed tags, second array it is allowed attributes.

0
votes

What is this about? filter="JComponentHelper::filterText"? Did you write a custom filter?

The default filtering like most things in Joomla (also acl for example) is very strict so that if you get xss from not filtering it's a deliberate choice you've made not a security risk in the core. But your core filtering should be being applied ... except that you seem to have perhaps overridden with the unknown filter. So I suspect given this unknown filter it's falling back to very string.

0
votes

Quite some time later, but just for the record, for anyone encountering the same problem, here my solution.

For me this problem was immediately solved by using JRequest instead of JInput. I believe it's deprecated, but it is still used by Joomla 2.5.14 (most up-to-date Joomla 2.5 at this moment) in the save() function of JControllerForm.