Why is BuddyPress stripping my object or embed tags?
-
BuddyPress looks great. Congrats!
I’m trying to transfer a social networking site built around the lastest WordPress to BuddyPress, but BuddyPress strips all the <object …></object> code from my blog posts.
I have Blip.tv video in most of my posts. They all disappear when I import them into BuddyPress.
I managed to get them into BuddyPress by copy/pasting the entire MySQL table, but then when I edit a post, the video disappears again.
What is going on? Is there an overzealous setting against object tags somewhere that I can turn off?
Regular WP used to mess with objects, but recent versions leave them alone. With BuddyPress they disappear entirely. What’s different?
edit:
It’s the same problem with an embed tag like this:
<embed src=”http://blip.tv/play/videocode” type=”application/x-shockwave-flash” width=”400″ height=”225″ allowscriptaccess=”always” allowfullscreen=”true”></embed>
-
Apparently it’s an underdocumented peculiarity of WordPress MU.
It’s a security hole and it’s closed by default. If you choose to open it you can modify the filters that bp uses. Example is the forums filter system:
bp_forums_add_allowed_tags() in ../bp-forums/bp-forums-filters.php is the filter you can extend.
function my_allowed_tags($allowedtags){
$allowedtags = array();
return $allowedtags;
}
add_filter( ‘edit_allowedtags’, ‘my_allowed_tags’ );
Create a file called bp-custom.php and put it in the /mu-plugins directory with the rest of the main bp files. Put that function in there. It’ll get loaded by bp.
Other components have a /bp-<component>/bp-<component>-filters.php file also.
Sorry, Burtadsit, but can you break this down a bit more for the truly moronic like me? I’m having the same problem and I have installed vipers-video-quicktags which is nicely displaying all the various video icons in my visual editor. It is working correctly, but when the post is saved the code disappears as above. Now you say it’s a security hole. I don’t want to open up something bad, but I do want to easily add video to my posts. I don’t want to do anything with the forums.
Is this the entire code I put in a bp-custom.php file?:
function my_allowed_tags($allowedtags){
$allowedtags[’embed’] = array();
return $allowedtags;
}
add_filter( ‘edit_allowedtags’, ‘my_allowed_tags’ );
I’m confused as why you mentioned bp-forums.
And again, I really don’t want to open up something bad. What are the implications of adding this?
Thanks in advance. I know I ask pretty dumb questions.
For me the Unfiltered MU plugin solved the problem.
Ah. Cool. Probably does the same thing as the little filter above.
Unfiltered MU did not work for me. I will try what you originally suggested, Burt
Well, I should say I was trying to apply this technique to the Wire to allow img tags. No dice though. Any help would be great
The Google Maps Quicktags plugin
http://www.remotesensingtools.com/2007/08/22/wordpress-plugin-google-maps-quicktag/
takes care of this problem (which would also affect embedded Google Maps).
Running into this annoying problem again and the Unfiltered MU plugin no longer seems to work.
I was able to find a work around for this by using custom fields since it does not strip the codes. I have it working on my web tv-social networking site that mostly uses embedded videos, http://piyesta.com/sadyatv.
How do you mean using custom fields?
I’m trying to import 180+ existing posts, most of them with embedded video.
I still have to try Burt Adsit’s manual solution as a last resort, but if Unfiltered MU doesn’t work it’s unlikely code in bp-custom would work.
Solved it by adding the following under ‘allowedposttags = array’ in kses.php:
'object' => array (
'id' => array (),
'classid' => array (),
'data' => array (),
'type' => array (),
'width' => array (),
'height' => array (),
'allowfullscreen' => array ()),
'param' => array (
'name' => array (),
'value' => array ()),
'embed' => array (
'id' => array (),
'style' => array (),
'src' => array (),
'type' => array (),
'height' => array (),
'width' => array (),
'quality' => array (),
'name' => array (),
'flashvars' => array (),
'allowscriptaccess' => array (),
'allowfullscreen' => array ()),
'script' => array (
'type' => array ()),There’s a reason why the embed and object tags are disabled by default, Peter.
If you’re going to open up your BP network to any user, they can potentially exploit those tags and do all kinds of nasty stuff.
The Unfiltered MU plugin works for admins and editors in WordPress, but it depends what BP component you’re trying to use the embed/object tags in BP.
Burt’s solution is the preferred method.
Yes. Changing that bit in kses.php will let anyone use those tags almost everywhere on the site, so you’ve been warned.
The Unfiltered MU plugin works for admins and editors in WordPress, but it depends what BP component you’re trying to use the embed/object tags in BP.
The Unfiltered MU plugin did not work for importing blog posts anymore. I needed a way to import 180+ post, most of them with embedded video on Blip.tv.
Yes, security is important, but if it wipes out 80% of my blog something’s gotta give.
I’ll remove the code from kses.php and let the Unfiltered MU plugin take over for just the main blog. Or wouldn’t that work? Would I have to start all over again, manually remove 180+ messed up posts?
How can I turn the object/embed tag stripping off in Buddypress’ main blog? I’m not trying to use the tags in a Buddypress component, only in the main blog. Or is that a component as well? Confused…
Like Zenseeker, I couldn’t make sense of Burt Adsit’s solution.
Hey Peter,
Have you tried enabling the Unfiltered MU plugin in the blog in question before you imported your posts?
Burt’s solution applies only to BP components, so if you’re not using object or embed tags in any BP component don’t worry about it.
Have you tried enabling the Unfiltered MU plugin in the blog in question before you imported your posts?
Yes, of course. That used to work, but no longer.
I’m not using object/embed in any BP component. My original question was about the blog as well. I’d posted the question here because I hadn’t seen the same problem in WP.
Hmm… interesting. I’ll have to make note of this for my own needs as well!
Anyway, you don’t have to hack the kses.php file, you could use an mu-plugin like Embed Allower:
Or Allow Embedded Videos:
If you’re just looking to post video code, there’s plenty of video embed plugins for regular WordPress that work just fine in MU.
this is one I use often:
https://wordpress.org/extend/plugins/wordpress-video-plugin/
No, the problem is importing 180+ posts, most of them with object and embed tags.
Initially I was hosting my own videos and I still want to keep that option. There doesn’t seem to be a plugin for that.
And I’m a bit reluctant to fall back to yet another plugin for something that should be standard html. If it causes security issues, WP should come up with smarter ways to deal with them instead of just erasing 80% of my posts.
If these plugins are so effective, has anyone integrated them with export/import, so that object/embed tags are automatically converted to safe tags?
I’m happy to keep my own blog “unsafe” and block object/embed for other blogs on the system. If someone could fix Unfiltered MU so I can do that again, that would solve my headache.
I know in the past, Unfiltered MU has been working just dandy. Only recently have people found any bugs, but no one’s been able to narrow it down and let the dev of the plugin know about it so he can fix it.
Quoted by Jomark “
I was able to find a work around for this by using custom fields since it does not strip the codes. I have it working on my web tv-social networking site that mostly uses embedded videos, http://piyesta.com/sadyatv.”
Would you mind sharing your tips and tricks on how you did this. I have tried uploading the above plugins and have tried adding the allowed tags, nothing seems to work properly. The embed videos are not embedding. I like what you have on your site.. How did you create a new custom field and implemented in to the default theme? Thanks!
You just use this very light plugin, http://www.matteoionescu.com/wordpress/embed-html/ or https://wordpress.org/extend/plugins/custom-fields-shortcode/ . I have used the latter.
It makes use of the custom field in embedding videos.
Thanks!
I was not able to get any of these to work? I am fairly fimilular with the coding but no luck…has any succeeded with this?
- The topic ‘Why is BuddyPress stripping my object or embed tags?’ is closed to new replies.