Hi Solaris,
I am sorry that you are finding the going so difficult. But don't worry - just a couple of simple concepts need to be cleared and things should become way easier.
Let us start from a blank slate -
Suppose this is your 'contact.php' template (I have simplified the HTML) -
In the code above, the cms:editable tag used does two things -
1. On the back-end: it creates an editable region (named 'contact_maincontent') allowing the content to be edited.
2. On the front-end: it outputs whatever content the editable region mentioned above currently holds.
To make the cms:editable tag only perform the first of the two tasks mentioned above (i.e. only create the editor but not display its value), we either -
1. Add hidden='1' attribute to the tag or
2. Enclose the tag within cms:template tag (preferably at the very start of the file).
We'll take the second approach (as by using this we place the definitions of all editable regions of the template at one location and this makes administrating them easier).
Our modified template now becomes
But now what do we do to output the contents of this region?
That we do by using the cms:show tag -
Notice how we supply the 'name' of our editable region to cms:show tag.
So that should make clear the relationship between cms:editable and cms:show tags
(Please see http://www.couchcms.com/docs/concepts/variables.html if you require more info).
Moving on, let us add a second editable region to our template -
Notice how again we are using cms:show to display the contents of the second editable region. Any content (Email address) placed within the back-end textbox will be faithfully outputted on the front-end.
So far everything has been the staple fare. If we simply replace the cms:show with cms:cloak_email like the following
- any inputted email address will still be outputted but it will be obfuscated using JavaScript.
This is the method I suggested in my first reply.
In the method suggested above, the (obfuscated) email always gets outputted at a defined location in the template - the place where we have placed the <cms:cloak_email my_mail_address /> statement. If this is what you want, go for it.
If, however, you wish to output the obfuscated email at any arbitrary location contained within the text of 'contact_maincontent' region, we'll have to think of a different way.
We cannot simply input <cms:cloak_email 'myemail@gmail.com' /> within the richtext editor of 'contact_maincontent' - the XSS protection you encountered will 'nullify' the tags. The same thing will also happen if we try putting in any JavaScript code in the editor.
To make this possible, we'll fall upon 'shortcodes'.
Please see http://www.couchcms.com/docs/miscellane ... codes.html for a detailed explanation of this feature.
In short, this is what we do -
Instead of inputting the, doomed to be sanitized, <cms:cloak_email 'myemail@gmail.com' /> within the richtext editor, we input instead [mailto]myemail@gmail.com[/mailto].
Couch will allow this code to be inputted because it is not considered malicious.
At the time of outputting the code, we'll use shortcode to expand or convert the [mailto]myemail@gmail.com[/mailto] to the real JavaScript code.
To do this, we'll
1. Place the PHP code that does the conversion (shortcode handler) within kfunctions.php (the sample file in the documentation already has this).
2. Filter our output (containing the [mailto]myemail@gmail.com[/mailto]) through the shortcode.
In our case we input the [mailto]myemail@gmail.com[/mailto] within the richtext editor of contact_maincontent. The place where we output its content is
<cms:show contact_maincontent />
We simply modify the statement above to:
<cms:do_shortcodes><cms:show contact_maincontent /></cms:do_shortcodes>
This will cause the raw content of the editable region to be filtered through our shortcode PHP which will find the [mailto]myemail@gmail.com[/mailto] and convert it to the JavaScript code.
Instead of the [mailto] shortcode, you can use the one suggested by @cheesypoof to output the JavaScript of your original code.
So that wraps up all the methods we suggested.
Finally, I'd like to add that you please take a (cursory) look at our documentation of Core Concepts (http://www.couchcms.com/docs/concepts/). The first few chapters should explain almost everything that needs to be known about Couch.
To know more about shortcodes, please see http://www.couchcms.com/docs/miscellane ... codes.html.
Hope this helps. Please let me know.
Thanks
I am sorry that you are finding the going so difficult. But don't worry - just a couple of simple concepts need to be cleared and things should become way easier.
Let us start from a blank slate -
Suppose this is your 'contact.php' template (I have simplified the HTML) -
- Code: Select all
<?php require_once( 'couch/cms.php' ); ?>
<html>
<head></head>
<body>
<cms:editable name='contact_maincontent' type='richtext'>
Lorem ipsum
</cms:editable>
</body>
</html>
<?php COUCH::invoke(); ?>
In the code above, the cms:editable tag used does two things -
1. On the back-end: it creates an editable region (named 'contact_maincontent') allowing the content to be edited.
2. On the front-end: it outputs whatever content the editable region mentioned above currently holds.
To make the cms:editable tag only perform the first of the two tasks mentioned above (i.e. only create the editor but not display its value), we either -
1. Add hidden='1' attribute to the tag or
2. Enclose the tag within cms:template tag (preferably at the very start of the file).
We'll take the second approach (as by using this we place the definitions of all editable regions of the template at one location and this makes administrating them easier).
Our modified template now becomes
- Code: Select all
<?php require_once( 'couch/cms.php' ); ?>
<cms:template title='Contact'>
<cms:editable name='contact_maincontent' type='richtext'>
Lorem ipsum
</cms:editable>
</cms:template>
<html>
<head></head>
<body>
</body>
</html>
<?php COUCH::invoke(); ?>
But now what do we do to output the contents of this region?
That we do by using the cms:show tag -
- Code: Select all
<?php require_once( 'couch/cms.php' ); ?>
<cms:template title='Contact'>
<cms:editable name='contact_maincontent' type='richtext'>
Lorem ipsum
</cms:editable>
</cms:template>
<html>
<head></head>
<body>
<cms:show contact_maincontent />
</body>
</html>
<?php COUCH::invoke(); ?>
Notice how we supply the 'name' of our editable region to cms:show tag.
So that should make clear the relationship between cms:editable and cms:show tags
(Please see http://www.couchcms.com/docs/concepts/variables.html if you require more info).
Moving on, let us add a second editable region to our template -
- Code: Select all
<?php require_once( 'couch/cms.php' ); ?>
<cms:template title='Contact'>
<cms:editable name='contact_maincontent' type='richtext'>
Lorem ipsum
</cms:editable>
<cms:editable name='my_mail_address' type='text' />
</cms:template>
<html>
<head></head>
<body>
<cms:show contact_maincontent />
E-Mail: <cms:show my_mail_address />
</body>
</html>
<?php COUCH::invoke(); ?>
Notice how again we are using cms:show to display the contents of the second editable region. Any content (Email address) placed within the back-end textbox will be faithfully outputted on the front-end.
So far everything has been the staple fare. If we simply replace the cms:show with cms:cloak_email like the following
- Code: Select all
<?php require_once( 'couch/cms.php' ); ?>
<cms:template title='Contact'>
<cms:editable name='contact_maincontent' type='richtext'>
Lorem ipsum
</cms:editable>
<cms:editable name='my_mail_address' type='text' />
</cms:template>
<html>
<head></head>
<body>
<cms:show contact_maincontent />
E-Mail: <cms:cloak_email my_mail_address />
</body>
</html>
<?php COUCH::invoke(); ?>
- any inputted email address will still be outputted but it will be obfuscated using JavaScript.
This is the method I suggested in my first reply.
In the method suggested above, the (obfuscated) email always gets outputted at a defined location in the template - the place where we have placed the <cms:cloak_email my_mail_address /> statement. If this is what you want, go for it.
If, however, you wish to output the obfuscated email at any arbitrary location contained within the text of 'contact_maincontent' region, we'll have to think of a different way.
We cannot simply input <cms:cloak_email 'myemail@gmail.com' /> within the richtext editor of 'contact_maincontent' - the XSS protection you encountered will 'nullify' the tags. The same thing will also happen if we try putting in any JavaScript code in the editor.
To make this possible, we'll fall upon 'shortcodes'.
Please see http://www.couchcms.com/docs/miscellane ... codes.html for a detailed explanation of this feature.
In short, this is what we do -
Instead of inputting the, doomed to be sanitized, <cms:cloak_email 'myemail@gmail.com' /> within the richtext editor, we input instead [mailto]myemail@gmail.com[/mailto].
Couch will allow this code to be inputted because it is not considered malicious.
At the time of outputting the code, we'll use shortcode to expand or convert the [mailto]myemail@gmail.com[/mailto] to the real JavaScript code.
To do this, we'll
1. Place the PHP code that does the conversion (shortcode handler) within kfunctions.php (the sample file in the documentation already has this).
2. Filter our output (containing the [mailto]myemail@gmail.com[/mailto]) through the shortcode.
In our case we input the [mailto]myemail@gmail.com[/mailto] within the richtext editor of contact_maincontent. The place where we output its content is
<cms:show contact_maincontent />
We simply modify the statement above to:
<cms:do_shortcodes><cms:show contact_maincontent /></cms:do_shortcodes>
This will cause the raw content of the editable region to be filtered through our shortcode PHP which will find the [mailto]myemail@gmail.com[/mailto] and convert it to the JavaScript code.
Instead of the [mailto] shortcode, you can use the one suggested by @cheesypoof to output the JavaScript of your original code.
So that wraps up all the methods we suggested.
Finally, I'd like to add that you please take a (cursory) look at our documentation of Core Concepts (http://www.couchcms.com/docs/concepts/). The first few chapters should explain almost everything that needs to be known about Couch.
To know more about shortcodes, please see http://www.couchcms.com/docs/miscellane ... codes.html.
Hope this helps. Please let me know.
Thanks
