Stripping tags from ephox fields on save

I’ve read in the Ephox developer’s guide that it’s possible to write a plug-in to manipulate the content of an Ephox EditLive! field, but I was wondering if Percussion has already built an exit that would allow me to specify a tag group to be stripped.

Specifically, I’m looking for a way to deny users from adding < script > tags inline.

If an Ephox plug-in is the only solution, I suppose the next question is what to do about text only fields.

I realize we could strip it with a regex via the template, but I’d rather the end-user entering content actually see that the < script > tag has been removed.

Don’t worry! Ephox will automatically strip out all <SCRIPT> tags whether you want it to or not… no work required :slight_smile:

Don’t worry!
Ephox will automatically strip out all <SCRIPT> tags automatically, along with all sorts of other useful tags.

While this is good for you, many others are screaming at this functionality and sometimes resorting to using text-area fields to add scrips etc. to content items.


Something is going very wrong with my posts here!

Third time lucky…

Don’t worry!
Ephox will automatically strip out all SCRIPT tags along with other useful user-added ones. This is default behaviour and so there is no work for you to do. Users might add a script inot Ephox but on save the tags will be removed.

While this causes unknown headaches to other developers, a workaround is to have a text-area field that will output the fully coded script to the HEAD section of your page.


Well, then at some point, we must have allowed < script > tags because they’re not being stripped, but unfortunately, I don’t see any documentation on our end where that mod was made. So… if we allowed < script > tags, anybody know where that would have been done so I can remove it.

Thought I’d found it in rx_ephox.js in an array called “allowed”, but that’s not the case… That only applies to selected text for creating a hyperlink…

Right now the best way to do the post processing of this field would be with an input translation exit. Please contact Percussion Support to get further details on how to create a custom input translation exit.

Well, then at some point, we must have allowed < script > tags…

We found this issue after upgrading from 5.7 (and eWebEditPro) to 6.5.2 (and Ephox). Maybe something similar happened with you?

It was a lot easier to add additional code to the rich text editor in 5.7 with eWebEditPro, so when we migrated our content to the new system, the stripping out of < script > tags became very obvious very quickly. Never did find a proper fix, and instead set up the additional text-area field as a workaround.

And it’s not just < script > tags, we haven’t found a way to generate anchor links in Ephox (the icon in the toolbar does not work as expected) and have had real problems with setting up bulleted lists where each bullet has a link inline variant item (cannot have a < div > inside an < li >) so the change from eWebEditPro to Ephox has been a real eye-opener for us because of the additional and unexpected work involved.


We started out on 6.5, now on 6.5.2, so we don’t have any experience with the former wysiwyg editor. I guess what I’m curious about is that you say in your Rhythmyx (ahem, Percussion CM) implementation, script tags are stripped. In our implementation, they are not stripped. Strange things are afoot. I can only assume there’s a configuration option that we’ve tripped sometime in the past… I’ve contacted TS. Hopefully, they can shed some light.