HTML Embed - Admin Only?

So I had a user report a problem with adding an embed code for a video (not YouTube) using the HTML icon in TinyMCE. So when I tried to reproduce it, it worked just fine for me.

Long story short, I was able to login as the user (and tried with others) and found that I could NOT do the same embed as the user, but had no problems as the Admin. The embed code started with <iframe>.

Does anyone know of some type of restrictions where only the Admin can use an embed code with the HTML button from TinyMCE?

When admin posts some content it doesn't go through HtmlPurifier, while all user's content is filtered - so no any js code allowed for the security reasons.

Please check the Dolphin version, in the past only <object... youtube embed code was checked.

If you don't plan to upgrade, then you can upload /plugins/htmlpurifier/ folder from the latest version and update code in clear_xss function in /inc/utils.inc.php file to match the latest version as well.

 Rank has its privileges.   Back in the old days, admin posts were also filtered through htmlpurifier, but we finally convinced boonex that admins  should be allowed to screw up their own site by posting any bizarre or malicious code they damn well pleased.  That privilege can never be extended to regular lowlife members though by allowing the posting of iframe code without some sort of safeguards.

Here is a relevant ticket I entered a little while ago: http://www.boonex.com/trac/dolphin/ticket/3479

I see it's still on the to-do list, so I guess we'll see some sort of implementation in DP 7.2, which will allow admins to add a whitelist of urls from which to alllow iframe embed code... which of course will be filtered through htmlpurifier to remove any undesirable code.

I am running 7.1.6 right now. I guess it's really not a big deal but did have me wondering why its possible for me but not others. Thank you for the explanation.

Here's a few changes I made to my /inc/utils.inc.php to allow iframe embed code from youtube, vimeo and twitch.tv

If you have a lot of sites to whitelist, this method gets a bit tedious.... that's why I entered the ticket.  For just a few sites it's no problem.

    // HTML Purifier plugin
    global $oHtmlPurifier;
    require_once( BX_DIRECTORY_PATH_PLUGINS . 'htmlpurifier/HTMLPurifier.standalone.php' );
    if (!isset($oHtmlPurifier)) {

        HTMLPurifier_Bootstrap::registerAutoload();

        $oConfig = HTMLPurifier_Config::createDefault();

 $oConfig->set('HTML.SafeIframe', 'true');
        $oConfig->set('HTML.SafeObject', 'true');
        $oConfig->set('Output.FlashCompat', 'true');
        $oConfig->set('HTML.FlashAllowFullScreen', 'true');
        if (getParam('sys_antispam_add_nofollow')) {
            $sHost = parse_url(BX_DOL_URL_ROOT, PHP_URL_HOST);
            $oConfig->set('URI.Host', $sHost);
            $oConfig->set('HTML.Nofollow', 'true');
        }

 $oConfig->set('URI.SafeIframeRegexp', '%^(https?:)?//(www\.youtube(?:-nocookie)?\.com/embed/|player\.vimeo\.com/video/|www\.twitch\.tv)%'); //allow YouTube and Vimeo and twitch.tv //        $oConfig->set('URI.SafeIframeRegexp', '%^(https?:)?//(www\.youtube(?:-nocookie)?\.com/embed/|player\.vimeo\.com/video/)%'); //allow YouTube and Vimeo
//        $oConfig->set('Filter.Custom', array (new HTMLPurifier_Filter_LocalMovie(), new HTMLPurifier_Filter_YouTube(), new HTMLPurifier_Filter_YoutubeIframe()));

It was discovered that htmlpurifier filter couldn't detect embed codes when "Enable privacy-enhanced mode" option on YouTube was enabled.

The filter was updated - http://www.boonex.com/trac/dolphin/ticket/3534

You can also download attached file and upload it to the /plugins/htmlpurifier/standalone/HTMLPurifier/Filter/ folder.

SafeIframe option will be available in Dolphin 7.2.1:

https://github.com/boonex/dolphin.pro/issues/55