Where are my iframe/script/embed tags?
Why does my content item not render any iframe, object, embed, or script tags?
These tags represent cross-site scripting vulnerabilities in a public site. They have been filtered in Plone starting from version 2.1. If your site has non-trusted contributors, make sure you are aware of the security implications if you want to enable embed/script/object tags.
- In Plone 3.0, you can adjust this behaviour in the "HTML Filtering" control panel. This controls both the front-end and back-end filtering.
- In Plone 2.5, you can go to portal_transforms in the ZMI and edit the properties for the transform known as safe_html. Tag filtering can even be completely disabled in safe_html.
- In Plone 2.1.x, you can edit the VALID_TAGS and NASTY_TAGS lists in Products.CMFDefault.utils.py and restart Zope if you want to change this. But you should not do this for public sites.
If you are using WYSIWYG content editors like Kupu, there are further restrictions. You can learn more about how Plone also filters tags by reading the fine How-to about HTML filtering options.