Skip to:
Content
Pages
Categories
Search
Top
Bottom

Why is BuddyPress stripping my object or embed tags?


  • peterverkooijen
    Participant

    @peterverkooijen

    BuddyPress looks great. Congrats!

    I’m trying to transfer a social networking site built around the lastest WordPress to BuddyPress, but BuddyPress strips all the <object …></object> code from my blog posts.

    I have Blip.tv video in most of my posts. They all disappear when I import them into BuddyPress.

    I managed to get them into BuddyPress by copy/pasting the entire MySQL table, but then when I edit a post, the video disappears again.

    What is going on? Is there an overzealous setting against object tags somewhere that I can turn off?

    Regular WP used to mess with objects, but recent versions leave them alone. With BuddyPress they disappear entirely. What’s different?

    edit:

    It’s the same problem with an embed tag like this:

    <embed src=”http://blip.tv/play/videocode&#8221; type=”application/x-shockwave-flash” width=”400″ height=”225″ allowscriptaccess=”always” allowfullscreen=”true”></embed>

Viewing 25 replies - 1 through 25 (of 27 total)

  • peterverkooijen
    Participant

    @peterverkooijen

    Apparently it’s an underdocumented peculiarity of WordPress MU.


    Burt Adsit
    Participant

    @burtadsit

    It’s a security hole and it’s closed by default. If you choose to open it you can modify the filters that bp uses. Example is the forums filter system:

    bp_forums_add_allowed_tags() in ../bp-forums/bp-forums-filters.php is the filter you can extend.

    function my_allowed_tags($allowedtags){

    $allowedtags = array();

    return $allowedtags;

    }

    add_filter( ‘edit_allowedtags’, ‘my_allowed_tags’ );

    Create a file called bp-custom.php and put it in the /mu-plugins directory with the rest of the main bp files. Put that function in there. It’ll get loaded by bp.

    Other components have a /bp-<component>/bp-<component>-filters.php file also.


    zenseeker
    Participant

    @zenseeker

    Sorry, Burtadsit, but can you break this down a bit more for the truly moronic like me? I’m having the same problem and I have installed vipers-video-quicktags which is nicely displaying all the various video icons in my visual editor. It is working correctly, but when the post is saved the code disappears as above. Now you say it’s a security hole. I don’t want to open up something bad, but I do want to easily add video to my posts. I don’t want to do anything with the forums.

    Is this the entire code I put in a bp-custom.php file?:

    function my_allowed_tags($allowedtags){

    $allowedtags[’embed’] = array();

    return $allowedtags;

    }

    add_filter( ‘edit_allowedtags’, ‘my_allowed_tags’ );

    I’m confused as why you mentioned bp-forums.

    And again, I really don’t want to open up something bad. What are the implications of adding this?

    Thanks in advance. I know I ask pretty dumb questions.


    peterverkooijen
    Participant

    @peterverkooijen

    For me the Unfiltered MU plugin solved the problem.


    Burt Adsit
    Participant

    @burtadsit

    Ah. Cool. Probably does the same thing as the little filter above.


    Roy McKenzie
    Participant

    @roymckenzie

    Unfiltered MU did not work for me. I will try what you originally suggested, Burt


    Roy McKenzie
    Participant

    @roymckenzie

    Well, I should say I was trying to apply this technique to the Wire to allow img tags. No dice though. Any help would be great


    jugoretz
    Participant

    @jugoretz

    The Google Maps Quicktags plugin

    http://www.remotesensingtools.com/2007/08/22/wordpress-plugin-google-maps-quicktag/

    takes care of this problem (which would also affect embedded Google Maps).


    peterverkooijen
    Participant

    @peterverkooijen

    Running into this annoying problem again and the Unfiltered MU plugin no longer seems to work.


    Jomark
    Participant

    @jomark

    I was able to find a work around for this by using custom fields since it does not strip the codes. I have it working on my web tv-social networking site that mostly uses embedded videos, http://piyesta.com/sadyatv.


    peterverkooijen
    Participant

    @peterverkooijen

    How do you mean using custom fields?

    I’m trying to import 180+ existing posts, most of them with embedded video.

    I still have to try Burt Adsit’s manual solution as a last resort, but if Unfiltered MU doesn’t work it’s unlikely code in bp-custom would work.


    peterverkooijen
    Participant

    @peterverkooijen

    Solved it by adding the following under ‘allowedposttags = array’ in kses.php:

    'object' => array (
    'id' => array (),
    'classid' => array (),
    'data' => array (),
    'type' => array (),
    'width' => array (),
    'height' => array (),
    'allowfullscreen' => array ()),
    'param' => array (
    'name' => array (),
    'value' => array ()),
    'embed' => array (
    'id' => array (),
    'style' => array (),
    'src' => array (),
    'type' => array (),
    'height' => array (),
    'width' => array (),
    'quality' => array (),
    'name' => array (),
    'flashvars' => array (),
    'allowscriptaccess' => array (),
    'allowfullscreen' => array ()),
    'script' => array (
    'type' => array ()),


    r-a-y
    Keymaster

    @r-a-y

    There’s a reason why the embed and object tags are disabled by default, Peter.

    If you’re going to open up your BP network to any user, they can potentially exploit those tags and do all kinds of nasty stuff.

    The Unfiltered MU plugin works for admins and editors in WordPress, but it depends what BP component you’re trying to use the embed/object tags in BP.

    Burt’s solution is the preferred method.

    Yes. Changing that bit in kses.php will let anyone use those tags almost everywhere on the site, so you’ve been warned.


    peterverkooijen
    Participant

    @peterverkooijen

    The Unfiltered MU plugin works for admins and editors in WordPress, but it depends what BP component you’re trying to use the embed/object tags in BP.

    The Unfiltered MU plugin did not work for importing blog posts anymore. I needed a way to import 180+ post, most of them with embedded video on Blip.tv.

    Yes, security is important, but if it wipes out 80% of my blog something’s gotta give.

    I’ll remove the code from kses.php and let the Unfiltered MU plugin take over for just the main blog. Or wouldn’t that work? Would I have to start all over again, manually remove 180+ messed up posts?

    How can I turn the object/embed tag stripping off in Buddypress’ main blog? I’m not trying to use the tags in a Buddypress component, only in the main blog. Or is that a component as well? Confused…

    Like Zenseeker, I couldn’t make sense of Burt Adsit’s solution.


    r-a-y
    Keymaster

    @r-a-y

    Hey Peter,

    Have you tried enabling the Unfiltered MU plugin in the blog in question before you imported your posts?

    Burt’s solution applies only to BP components, so if you’re not using object or embed tags in any BP component don’t worry about it.


    peterverkooijen
    Participant

    @peterverkooijen

    Have you tried enabling the Unfiltered MU plugin in the blog in question before you imported your posts?

    Yes, of course. That used to work, but no longer.

    I’m not using object/embed in any BP component. My original question was about the blog as well. I’d posted the question here because I hadn’t seen the same problem in WP.


    r-a-y
    Keymaster

    @r-a-y

    Hmm… interesting. I’ll have to make note of this for my own needs as well!

    Anyway, you don’t have to hack the kses.php file, you could use an mu-plugin like Embed Allower:

    http://github.com/ceefour/embed_allower/blob/160f179357835bfb6eda26952ed972f674c19365/embed_allower.php

    Or Allow Embedded Videos:

    http://wpmudev.org/project/Allow-Embedded-Videos


    Andrea Rennick
    Participant

    @andrea_r

    If you’re just looking to post video code, there’s plenty of video embed plugins for regular WordPress that work just fine in MU.

    this is one I use often:

    https://wordpress.org/extend/plugins/wordpress-video-plugin/


    peterverkooijen
    Participant

    @peterverkooijen

    No, the problem is importing 180+ posts, most of them with object and embed tags.

    Initially I was hosting my own videos and I still want to keep that option. There doesn’t seem to be a plugin for that.

    And I’m a bit reluctant to fall back to yet another plugin for something that should be standard html. If it causes security issues, WP should come up with smarter ways to deal with them instead of just erasing 80% of my posts.

    If these plugins are so effective, has anyone integrated them with export/import, so that object/embed tags are automatically converted to safe tags?

    I’m happy to keep my own blog “unsafe” and block object/embed for other blogs on the system. If someone could fix Unfiltered MU so I can do that again, that would solve my headache.


    Andrea Rennick
    Participant

    @andrea_r

    I know in the past, Unfiltered MU has been working just dandy. Only recently have people found any bugs, but no one’s been able to narrow it down and let the dev of the plugin know about it so he can fix it.


    mqluvly
    Participant

    @mqluvly

    Quoted by Jomark “

    I was able to find a work around for this by using custom fields since it does not strip the codes. I have it working on my web tv-social networking site that mostly uses embedded videos, http://piyesta.com/sadyatv.&#8221;

    Would you mind sharing your tips and tricks on how you did this. I have tried uploading the above plugins and have tried adding the allowed tags, nothing seems to work properly. The embed videos are not embedding. I like what you have on your site.. How did you create a new custom field and implemented in to the default theme? Thanks!


    Jomark
    Participant

    @jomark

    You just use this very light plugin, http://www.matteoionescu.com/wordpress/embed-html/ or https://wordpress.org/extend/plugins/custom-fields-shortcode/ . I have used the latter.

    It makes use of the custom field in embedding videos.


    mqluvly
    Participant

    @mqluvly

    Thanks! :)


    jschires
    Participant

    @jschires

    I was not able to get any of these to work? I am fairly fimilular with the coding but no luck…has any succeeded with this?

Viewing 25 replies - 1 through 25 (of 27 total)
  • The topic ‘Why is BuddyPress stripping my object or embed tags?’ is closed to new replies.
Skip to toolbar