In my shop, I'm "the guy who runs the website," but I am NOT a webmaster. So this has thrown me a bit.

I'm trying to edit a page so as to insert some javascript into the source code. The code I'm trying to paste is:

--- begin code ---

<div id="bbox-root"></div> <script type="text/javascript"> window.bboxInit = function () { bbox.showForm('8a89a64a-9af1-4d9c-aff0-524e3616885a'); }; (function () { var e = document.createElement('script'); e.async = true; e.src = 'https://bbox.blackbaudhosting.com/webforms/bbox-min.js'; document.getElementsByTagName('head')[0].appendChild(e); } ()); </script>

--- end code ---

When I paste it in and then save the page, I find the following:

--- begin code ---

<div id="bbox-root">&nbsp;</div>
<script type="text/jaxxxvascxxxript"> window.bboxInit = function () { bbox.showForm(&#039;8a89a64a-9af1-4d9c-aff0-524e3616885a&#039;); }; (function () { var e = document.createElement(&#039;script&#039;); e.async = true; e.src = &#039;https://bbox.blackbaudhosting.com/webforms/bbox-min.js&#039;; document.getElementsByTagName(&#039;head&#039;)[0].appendChild(e); } ()); </script>

--- end code ---

As you can see, "xxx" has appeared within the word "javascript." This happens every time I have attempted to insert some javascript into a page's source code via the CMS. Sometimes, as with embedding video, I can use an <iframe></iframe> tag or some other workaround, but for this particular task, there is no substitute.

This also happens anytime I attempt to add certain words to the text of the page -- "transcript" is a frequent offender, usually rendering as "transcxxxript" -- and because I work for a college, that's a fairly major land mine.

How can I prevent the extraneous "xxx"s from happening or work around them? I have back-end access, but I would need very specific instructions to go in and fix anything. Thanks!

L.

[KK]

Hi

As a security measure, Couch 'sanitizes' all inputs - as part of this exercise it neutralizes all dangerous JS attributes by inserting 'xxx' into them. Only a small sub-set of HTML tags are allowed too. The rest get their '<' and '>' characters converted into printable characters.

Point is, you cannot paste 'code' (e.g. video embed code etc.) directly into normal editable regions.

To do that you have two options -
1. Use a dedicated editable region of type 'textarea' (*has* to be 'textarea') and add to it no_xss_check='1' attribute e.g. as follows

Code: Select all

<cms:editable name='my_adsense' label="Adsense Code" desc="Enter your Adsense code here"
    no_xss_check='1'
    type="textarea"
/>

Doing this will let through all inputted content untouched.

2. If you must inject code within other editable regions (e.g. 'richtext'), use shorcodes (http://www.couchcms.com/docs/miscellane ... codes.html has several examples). You might also find this general-purpose shortcode useful - viewtopic.php?f=8&t=7950

You may try searching for 'no_xss_check' on this forum for several threads discussing this topic.

Hope it helps.

[trendoman]

Hi
Do you absolutely need your code in editable?
If not, just throw in <cms:embed 'script.html' />
script.html would be a file in the snippet directory, containing just your script.

Thank you both for your responses. I'll give both approaches a try!

Best,

Lex

Trendoman: The "snippet" directory? I am not finding any director or folder named snippet. Help?

Update: Stand down, trendoman; found 'snippets' in the 'couch' directory. My bad.

Both y'all's methods worked, once I inserted a space between the '1' and the /> in the cms tag.

Thank you both for your help.

Cheers,

L.