Put video on first page ojs3

amirhosein · April 10, 2017, 8:37am

hi
i want to put a video on first page on my journal
this video uploaded on another site and i have a script like as it

<div id="14918108329458270"><script type="text/JavaScript" src="https://www.aparat.com/embed/yp516?data[rnddiv]=14918108329458270&data[responsive]=yes"></script></div>

have you suggest for this work?

ctgraham · April 10, 2017, 2:01pm

You should be able to put this in the Journal’s “Website → Additional Content” settings, if you relax the allowed_html restrictions in config.inc.php to allow the script tag with type and source attributes, and the id attribute on the div.

github.com

pkp/ojs/blob/dfd84aa0242ce30ea75207b27a2fe945b113a4ef/config.TEMPLATE.inc.php#L262-L266


; Allowed HTML tags for fields that permit restricted HTML.
; Use e.g. "img[src,alt],p" to allow "src" and "alt" attributes to the "img"
; tag, and also to permit the "p" paragraph tag. Unspecified attributes will be
; stripped.
allowed_html = "a[href|target|title],em,strong,cite,code,ul,ol,li[class],dl,dt,dd,b,i,u,img[src|alt],sup,sub,br,p"

amirhosein · April 20, 2017, 7:41am

hi @ctgraham
i do this work
but when i add script or div tag in the setting → website → Announcements like as a code
don’t add anything to that Announcements item

ctgraham · April 20, 2017, 12:53pm

Hmmm… yes, HTMLPurifier’s defaults will still prevent ids and script tags even if the allowed_html is modified.

This will require a code modification to the PKPString::stripUnsafeHtml() function in lib/pkp/classes/core/PKPString.inc.php:

github.com

pkp/pkp-lib/blob/ojs-stable-3_0_2/classes/core/PKPString.inc.php#L471-L490


	/**
	 * Strip unsafe HTML from the input text. Covers XSS attacks like scripts,
	 * onclick(...) attributes, javascript: urls, and special characters.
	 * @param $input string input string
	 * @return string
	 */
	static function stripUnsafeHtml($input) {
		require_once('lib/pkp/lib/vendor/ezyang/htmlpurifier/library/HTMLPurifier.path.php');
		require_once('HTMLPurifier.includes.php');
		static $purifier;
		if (!isset($purifier)) {
			$config = HTMLPurifier_Config::createDefault();
			$config->set('Core.Encoding', Config::getVar('i18n', 'client_charset'));
			$config->set('HTML.Doctype', 'HTML 4.01 Transitional');
			$config->set('HTML.Allowed', Config::getVar('security', 'allowed_html'));
			$config->set('Cache.SerializerPath', 'cache');
			$purifier = new HTMLPurifier($config);
		}
		return $purifier->purify($input);
	}

The configuration options are documented here:
http://htmlpurifier.org/live/configdoc/plain.html

You’re probably interested in “EnableID” and “SafeScripting”.

kkaegeumna · June 30, 2020, 10:13pm

Hi, can I know how to relax the allowed_html restrictions? I am new in this OJS, and I appreciate if you can help me.

ctgraham · July 1, 2020, 12:49pm

See the instructions in config.inc.php here:

github.com

pkp/ojs/blob/2d5036988cee76fe3c174a07c7f7c5cb88f3eaa4/config.TEMPLATE.inc.php#L272-L276


; Allowed HTML tags for fields that permit restricted HTML.
; Use e.g. "img[src,alt],p" to allow "src" and "alt" attributes to the "img"
; tag, and also to permit the "p" paragraph tag. Unspecified attributes will be
; stripped.
allowed_html = "a[href|target|title],em,strong,cite,code,ul,ol,li[class],dl,dt,dd,b,i,u,img[src|alt],sup,sub,br,p"

Note that HTMLPurifier will continue to remove some tags and attributes (such as script and id) without a local change to the code as described in this thread.