HTMLpurifier letting Iframe get by. HELP!

I have used HTMLpurifier before on a different app.  In that app one configured HTMLpurifier by the method outlined in  HTMLpurifier  documentation.  However, from reading the forum I get the impression that one configures  HTMLpurifier  in some other manner on Dolphin.

 I thought  HTMLpurifier on Dolphin was set up to block iframes out of the box.  However, I had a test user to embed an iframe.  I decided to test it and yes, one was able to write a blog post and include an iframe and it saved out with the iframe intact.  This is a big security hole for a public website with multiple users so I need to make sure iframes are not allowed. 

didn't you change a lot of your core files? something about Tiny..

I just tried to insert an iframe into a blog on here http://mynewbeetle.net/7.1/blogs/posts/Michael_Google

you try to do it under the demo account please..

user: demo

pass: demo1

I cannot get it to stay, the purifier is removing it..

 No, nothing that would affect HTMLpurifier.  TinyMCE was upgraded but HTMLpurifier is suppose to clean up the HTML that TinyMCE doesn't.  TinyMCE is the first layer, HTMLpurifier is the second layer.  I will have to go to HTMLpurifier and read their docs again and then check against Dlophin considering they did not make any changes, such as sitting configuration in some other file.  Let me check the Dolphin docs again too.

 I tested it on the site.  TinyMCE did not strip out the iframe; however, HTMLpurifier did.  So something is broken with mine.  Thanks.

I tested on  a test site of Dolphin 7.0.9 where I know HTMLpurifier has not been touched.

 Well what happened? lol

When I try on 7.0.9, I get a error icon and it will not submit.

[edit] I created a demo account on another site, www.webcamhowto.com/blogs/

login: demo password: demo1

please try and post the iframe there..

Maybe my copy wasn't clean; let me check that first.

I downloaded a fresh copy of Dolphin 7.0.9 and deleted the HTMLpurifier folder on the server and uploaded a clean copy.  Posted a blog with an iframe without breaking a sweat.

So, the HTMLpurifier configuration must be stored somewhere other than in the HTMLpurifier.  Where, tell me where please?

OK, I just when to the Dolphin 7.1 site, which has had NO MODIFICATIONS AT ALL. and I was able to embed a website in a blog using an iframe.

What does this mean?  Is it my host provider? 

Admin account posts are not filtered by htmlpurifier.

FYI. HTMLPurifier configuration is in /inc/uitils.inc.php

If you keep an unzipped copy of D7 on your computer, you can use a file search program like Agent Ransack to find out these sort of things a whole lot faster

 [smacks head hard against a brick wall]

Thank you.  I do have a test user for the purpose of testing out the site that does not have admin rights. I need to be testing such things with that test user.  However, what started this was that a standard user had posted a YouTube video using the YouTube iframe code.  I thought that HTMLpurifier was set to strip out iframes including YouTube and I had not done any modifications to the config.

Thank you for the location of the config file. 

 I use PSpad as my editor and it does allow you to search through files in a folder for words and phrases.  I have used it as such a tool for trying to locate things.  I will take a look at the app you mentioned.

Thanks for your help. 

It's worth a try:

http://www.mythicsoft.com/Page.aspx?type=agentransack&page=download

Also FYI, a while back, I posted a new filter addon for HTMLpurifier in the tips forum, that will allow posting of the new YouTube and Vimeo iframe embed code.