[#39339] - Issue TextFilters and frontend edit with specific tags, e.g. iframe
- Closed
- 5 Dec 2022
- Medium
- Build: 4.2.5
- # 39339
Steps to reproduce the issue
- In a fresh J.4 installation:
- In System > Gloabl Confituration > TextFilters, set FilterType for ALL user groups to: No Filtering.
- In System > Gloabl Confituration > Site, set Default Editor to: Editor - None (ruling out any editor specific behaviour, so you will be editing in code).
- Create a frontend user and make sure he is allowed to frontend edit articles.
- Create a test article and make sure that the user is able to frontent edit this article, initially only using some "lorem ipsum" words.
- You should be able to edit and save the article, please check this first.
- Now, edit the article again on the frontend and add an iframe to your content, e.g. copy an example from this W3C page: https://www.w3schools.com/tags/tag_iframe.ASP and click Save or Save and exit.
- You can repeat this with adding embed and script tags.
Expected result
- I expect the article to be saved, including the iframe, as no filter is set.
Actual result
- I get this error message: "Forbidden. You don't have permission to access this resource."
- Also, the url looks like this: https://my-site.com/my-page?a_id=1
- When enabling the Debug System I do not get any additional info; neither does the server Error Reporting add any info.
- I also get this error if I Cancel editing instead of saving.
System information (as much as possible)
- Joomla 4.2.5
- Php 8.0
Additional comments
Note 1: I did not try all tags from the Default Forbidden list. However, I found this error with the iframe, embed and script tags. Tags that dit NOT result in this erro are html, xml and meta. So it seems to be limited to specific tags.
Note 2: When trying the same procedure with the iframe in the backend, the article is saved as expected, including the iframe. When I re-enable the default TextFilters and I try to save the article containing the iframe in the backend, the iframe is filtered out of the content as expected, but no error message is shown (which is also as expected). So the issue seems to be frontend related only.
| Labels |
Removed:
?
|
||
joomla-cms-bot
- | Labels |
Added:
No Code Attached Yet
|
||
Hi Brian, thx voor testing this issue. Quite remarkable to hear that you cannot replicate it; wish I knew what's the difference with your situation so it could be solved at our end as well...
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/39339.
Update: turns out to be hosting dependent. I transfered the site to other hosting and then it works correctly.
Does anyone have a suggestion as to which hosting- or php-setting might be responsible for this behavior? The hosting I'm on is quite decent in general.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/39339.
ok in that case the problem will almost certainly be the hosts mod_security settings. They can verify this from their mod_security logs
Thanks, I will check this with them.
So we can close this issue as not an issue with the CMS?
Hi,
I waited for my provider before answering this topic. It was in the mod_security indeed, as Brian suggested. So it was not the cms and for me the issue can be closed.
I cannot judge if this setting would be a "bad practice" of my provider, and if this would happen often on other hostings.
In that case, maybe we could warn other Joomlers in the documentation or something?
Anyway, thanks for your help!
Closing as not a core issue. Thanks for reporting back.
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2022-12-05 18:37:56 |
| Closed_By | ⇒ | richard67 |
Unable to replicate