iframe code filtered, even though iframe is allowed in security settings

I must be doing something wrong, but I can't see it. I want to allow iframe embeds from YouTube, etc. in Exhibit pages. I've edited the Security Settings page to allow the iframe element and the attributes associated with YouTube videos. But it is still filtered from the Exhibit pages (and also Item descriptions). It is *not* filtered from a Simple Page, so that plugin is clearly by-passing the HTML Filtering.

On my Security Settings page

My allowed elements are:
p,br,strong,em,span,div,ul,ol,li,a,h1,h2,h3,h4,h5,h6,address,pre,table,tr,td,blockquote,thead,tfoot,tbody,th,dl,dt,dd,q,small,strike,sup,sub,b,i,big,small,tt,img,iframe

My allowed attributes are:
*.style,*.class,a.href,a.title,a.target,a.name,img.src,iframe.width,iframe.height,iframe.src,iframe.frameborder,iframe.allfullscreen

Using Omeka version 2.1.2.

What am I missing?

When you're pasting in the embed codes, are you clicking on the HTML source editor? http://omeka.org/codex/Using_HTML_Editor-TinyMCE

To embed web objects, such as videos from YouTube or ArtBabble, or add other HTML tags not available in the tool bar above the text box, click on the HTML button and an HTML Source Editor window will appear to you.

Yes, I am. I'm familiar with how TinyMCE works, as I admin multiple systems that use it. Any other thoughts?

Is it possible that you're trying to embed content which forbids external embedding? I am able to use iframes with no problems.

It might help if you pasted both the HTML you're entering in TinyMCE and the HTML that actually appears on the page in question.

I've embedded the same video in a Simple Page without issue.

This is the embed code for the video I'm testing with:

<iframe width="560" height="315" src="//www.youtube.com/embed/Kdgt1ZHkvnM" frameborder="0" allowfullscreen></iframe>

I edit the exhibit page, click the HTML button and then paste the above code into the HTML editor. I click update, and then save the page. When the page reloads after saving all of the above code is gone.

I was able to use the Allowed elements and Allowed attributes fields in the Security Settings to allow <img> embeds, and those work fine. I just don't understand why it won't work for iframe.

I can confirm that this works when HTML filtering is off, but doesn't work when filtering is enabled, even with the required elements/attributes allowed. I tried with no attributes but src, same thing.

As a temporary workaround, you could create the page with filtering off, then re-enable filtering when you have finished editing. Existing pages will not be affected by the change.

Unfortunately, I am not the one doing the majority of the content entry. Those that are will not have access to the security settings.

Is there a place I can submit this as a bug?

Sounds like something in how Exhibit Builder is filtering HTML, differently from how Simple Pages is doing it. Which version of Exhibit Builder are you using?

Info either in this forum or in the Exhibit Builder GitHub issues page will get it into our bug tracking.

I'm using Exhibit Builder 3.0.

Exhibit Builder and Simple Pages aren't treating iframes differently.

If anyone's seeing a difference, it's likely because they've simply configured Simple Pages to not apply the HTML filters.

Ah, so I see! So this is a bug with the HTML filtering and not with Exhibit Builder, then? Has it been addressed in 2.1.4? I haven't updated to that yet, but I probably could if this is fixed.

I'm using 2.1.4. iframes are removed when filtering is checked, even if the elements & attributes are explicitly allowed.

HTML Purifier, the library we use, doesn't appear to allow for "all iframes OK" as a configuration. There's a "safe iframe" option, but it would require us to specify a regex for allowable source URLs.

I think that iframes can be enabled, but we'd need to tell HTML Purifier that the input was "trusted" to do so.