Enabling HTML embed codes¶
Description
You can set up Plone so it will not allow you to paste the code necessary to embed videos, slideshows or music players from popular websites such as Flickr, YouTube, Google Maps and MySpace. Learn how to adjust the HTML filtering to achieve the desired level of safety versus convenience.
*** Settings ***
Resource plone/app/robotframework/server.robot
Resource plone/app/robotframework/keywords.robot
Resource Selenium2Screenshots/keywords.robot
Library OperatingSystem
Suite Setup Run keywords Suite Setup Test Setup
Suite Teardown Run keywords Test teardown Suite Teardown
*** Variables ***
${FIXTURE} plone.app.robotframework.PLONE_ROBOT_TESTING
@{DIMENSIONS} 1024 768
@{APPLY_PROFILES} plone.app.contenttypes:plone-content
*** Keywords ***
Suite Setup
Run keyword if not sys.argv[0].startswith('bin/robot')
... Setup Plone site ${FIXTURE}
Run keyword if sys.argv[0].startswith('bin/robot')
... Open test browser
Run keyword and ignore error Set window size @{DIMENSIONS}
Test Setup
Import library Remote ${PLONE_URL}/RobotRemote
Run keyword if sys.argv[0].startswith('bin/robot')
... Remote ZODB SetUp ${FIXTURE}
${language} = Get environment variable LANGUAGE 'en'
Set default language ${language}
Enable autologin as Manager
${user_id} = Translate user_id
... default=jane-doe
${user_fullname} = Translate user_fullname
... default=Jane Doe
Create user ${user_id} Member fullname=${user_fullname}
Set autologin username ${user_id}
Test Teardown
Run keyword if sys.argv[0].startswith('bin/robot')
... Remote ZODB TearDown ${FIXTURE}
Suite Teardown
Run keyword if not sys.argv[0].startswith('bin/robot')
... Teardown Plone Site
Run keyword if sys.argv[0].startswith('bin/robot')
... Close all browsers
Important security note¶
Making these configuration changes has serious security implications for your site.
Plone filters out many tags for a good reason: they can be abused by your site users to create privilege escalation attacks.
If you have allowed untrusted people to create content on your Plone site, then a malicious person could create some “nasty” JavaScript in some content, then trick a person with Admin rights into viewing that content. That “nasty” JavaScript can now do HTTP requests to interact with the Plone site with the full Admin rights granted to the trusted user.
Bottom line: do not use this technique to enable embeddable content in your Plone site unless you are certain that you trust all users who are allowed to create content in your site.
Plone 5¶
In Plone 5, there are two steps you need to take in order to embed content that is not using an iframe tag:
Note
Per default, Plone 5 will allow <iframe> as a valid tag. That enables embedding media from the most popular sites like Vimeo and YouTube.
This behavior is a change from earlier versions. If you are in a high-security environment, simply add “iframe” to the list of nasty tags and embedding will stop working.
First, go to Site Setup>TinyMCE Visual Editor then click on the Toolbar tab.
- Enable the checkbox next to “Insert/edit Media”
- Scroll down to the bottom of the screen and click “Save”
Then, go to Site Setup>HTML Filtering
- Remove “Object” and “Embed” from the “Nasty Tags” list
- Remove “Object” and “Param” from the “Stripped Tags” list
- Add “Embed” to the “Custom Tags” list
- Scroll down to the bottom of the screen and click “Save”
With these changes made, you should be able to click newly-added “Embed Media” button in the TinyMCE toolbar. You can paste in the URL of a YouTube video, and TinyMCE will do the rest for you!
For a Flickr slideshow, and most other embeds, switch into HTML editing mode and paste in the raw embed code.
Note
To allow completely arbitrary HTML codes, see WYSIWYG text editing and TinyMCE and David Glick’s blogpost.