In Joomla! 1.5.8, a default filtering choice is in place for those who have not selected an Article Filter option. The default applied for those who have not made a selection implements "black list" filtering as a security precaution against possible XSS.
Due to this change, you might notice problems trying to save a Youtube video, or embedding other Javascript or Flash objects into your Articles.
If the default filtering option is not suitable for your needs, you can change it by using the Article Global Configuration options. For example, to change the default settings so that no filtering happens for members of the Super Administrator group:
- Navigate to Content → Article Manager.
- Press the Parameters icon in the toolbar to show the Articles - Global Configuration screen.
- Scroll down to Filtering Options, highlight all Filter groups except Super Administrator, and select Filter type of Blacklist (Default), as shown in the screenshot below.
With this setting, Joomla! will use the default Blacklist filter for all users except for the Super Administrator group. If you want to let other groups of Users submit content with no filtering, just modify the instructions above to exclude these groups. If you want no filtering on any groups, follow the instructions above but select only the Registered group.
Note: If you are using the Tiny MCE Editor you may also want to adjust these settings in the plugin:
- Code Cleanup on Startup -> Off
- Code cleanup on save -> Always (TinyMCE since J! 1.5.12).
- Do not clean HTML entities -> Yes [In 1.5.15 and later it is called Entity Encoding -> Raw]
Filtering Options (HTML)
Web sites can be attacked by users entering in special HTML code. Filtering is a way to protect your Joomla! web site. Joomla! 1.5 brings new filtering options to give you more control over the HTML that your content providers are allowed to submit. You can be as strict or as liberal as you desire, depending on your site's needs.
It is important to understand that filtering occurs at the time an article is saved, after it has been written or edited. Depending on your editor and filter settings, it is possible for a user to add HTML to an article during the edit session only to have that HTML removed from the article when it is saved. This can sometimes cause confusion or frustration. If you have filtering set up on your site, make sure your users understand what types of HTML are allowed.
The default setting, as of Joomla! version 1.5.9, is that all users except members of the Super Administrator group will have "black list" filtering on by default. This is designed to protect against markup commonly associated with web site attacks. So, if you do not set any filtering options, the Super Administrator will have no filtering done, and all other users will have "black list" filtering done using the default list of filtered items. If you create a filter here, this overrides the default, and the default filter is no longer in effect. Only one filter option is allowed per site.
There are two steps to setting up filtering:
- Decide on the user groups that will receive filtering. This will normally include the highest level group you want to filter and all of the groups below that level. For example, if you want to filter Publishers and below, this would include Publisher, Editor, Author, and Registered.
- Enter the type and extent of the desired filtering.
For example, if you want filtering only for Author, Registered user, and guests, select "Author", "Registered", and "Public Front End" for the Filter Groups and then select the desired type of filtering. This will apply to members of the Author, Registered and public groups but not to "higher" groups, such as Editors, Publishers, and so on.
The default filtering is overridden by entering in the following fields:
- Filter Groups. This sets the user groups that you want filters applied to. Use Ctrl+Click to select multiple groups. Groups that are not selected will have no filtering done.Important Note: There is a bug, as of version 1.5.8, such that you must specify at least two groups for the filtering to take place. If you only specify one group, no filtering will happen. This is easy to work around. Just be sure to always specify at least two groups here.
- Filter Type. Black List (Default), White List, No HTML.
- Black list means allow all HTML tags and attributes except those listed.
- White list means allow only the listed tags and attributes.
- No HTML means allow no HTML markup at all. All HTML is removed from an Article when it is saved.
- Filter Tags. The extra tags to exclude in a Black List, or the only tags to allow in a White List.
- Filter Attributes. The extra tag attributes to exclude in a Black List, or the only tag attributes to allow in a White List.
Default Filters
The default filter method in Joomla! is 'Black List'. The default 'Black List' contains the following tags to exclude:
- 'applet', 'body', 'bgsound', 'base', 'basefont', 'embed', 'frame', 'frameset', 'head', 'html', 'id', 'iframe', 'ilayer', 'layer', 'link', 'meta', 'name', 'object', 'script', 'style', 'title', 'xml'
The default 'Black List' contains the following attributes to exclude:
- 'action', 'background', 'codebase', 'dynsrc', 'lowsrc'
You can 'Black List' (disallow) additional tags and attributes by adding to the Filter tags and Filter attributes fields, separating each tag or attribute name with a space or comma. If you select a Filter Type of "Black List", this list will always be used, plus any additional tags and attributes you add.
Please note that these settings work regardless of the editor that you are using. Even if you are using a WYSIWYG editor, the filtering settings may strip additional tags and attributes prior to saving information in the database.
No comments:
Post a Comment