Creative Juices Bo. Co.

Satisfy Your Thirst For Something Refreshing!

How InvalidTag Destroyed My Morning

Incorrectly Blaming TinyMCE for My InvalidTag Problems

My entire morning was wasted on a perplexing little problem I was having trying to get TinyMCE to embed YouTube videos for one of my clients. I must have tried a gazillion different little hacks, mods and anything I could think of, but each time I hit the submit button, it seems as if the <object> and <embed> tags were being converted to <InvalidTag>. No matter what settings I used in the TinyMCE init script, it still was converting these tags. Guess what? It wasn't TinyMCE at all. It was ColdFusion all along! Go figure.

My client is on a shared hosting plan and I guess one of the options in the ColdFusion admin is to turn on a little security feature called "Enable Global Script Protection". Well, as it turns out, this converts these tags to <InvalidTag>. So, if your running into this issue (and maybe this is something that goes on with other server technologies besides ColdFusion), double-check to make sure that the tags aren't being converted server-side.

Since my client was on a shared hosting plan, there wasn't much I could do to get them to turn of the script protection setting. What I wound up doing is adding an onSubmit event to tinyMCE.init(). This in turn calls a function that does a little tag substitution prior to submitting it to the server. This is what I'm using:

tinyMCE.init({
   ... all my other settings ...
   setup : function(ed) {
      ed.onSubmit.add(function(ed, e) {
         doCleanTinyMCECleanUp(e.target);
      });
   }
});

Then I had to create the doCleanTinyMCECleanUp function. All I did here, was swap out the <object> and <embed> tags with something I could search and replace easily on the server side... You can change this to whatever you want, but I just added a simple little prefix before the tag name, like so:

function doCleanTinyMCECleanUp(frm) {
   frm.MY_FIELD_NAME.value = frm.MY_FIELD_NAME.value.replace("<object","<XXX_OBJECT");
   frm.MY_FIELD_NAME.value = frm.MY_FIELD_NAME.value.replace("<embed","<XXX_EMBED");
}

Once the form was submitted to my ColdFusion script, all I had to do is change the fake tags back to their correct names, like so:

<cfset form.MY_FIELD_NAME = ReplaceNoCase(form.MY_FIELD_NAME,"<XXX_OBJECT","<object","ALL") />
<cfset form.MY_FIELD_NAME = ReplaceNoCase(form.MY_FIELD_NAME,"<XXX_EMBED","<embed","ALL") />

As of this writing, I'm not sure exactly all of the tags that this ColdFusion setting changes, but at least using this simple little method, I can be prepared to add them easily as more are discovered.

Hope this helps anyone else having this issue, this one was another doozy!

UPDATE: It looks like ColdFusion's cross script protection changes these tags: object, embed, script, applet and meta.