<Script> html tag not working

I am editing a plone page to open an Excel document on a specific sheet. I created two buttons to see if either would appear as actual buttons and use the JS function I reference.

Why is only text showing instead of the button and why is the onclick attribute not working?

Note: I have changed to links to the spreadsheet for posting it on here but the link has been tested on other webpages

<script type="text/javascript">
    function Open_Excel_File(path,sheet)
      {

        fso = new ActiveXObject("Scripting.FileSystemObject");

        if (!fso.FileExists(path))
          alert("Cannot open file.\nFile '" + path + "' doesn't exist.");

        else
         {
           var myApp = new ActiveXObject("Excel.Application");

           if (myApp != null)
             {
               myApp.visible = true;
               Book = myApp.workbooks.open(path);
               var excel_sheet = Book.Worksheets(sheet).Activate;
               myApp.range(f_range).Select;
             }

           else {
             alert ("Cannot open Excel application");
           }
         }
      }
 </script>


<div>
<button onclick='Open_Excel_File("file://///fs-01\Departments\Underwriting\Statistical%20Data%20and%20Medical%20Information\Statistics\Cancers\Cancer%20Statistics%\Cancer%20Statistics%.xlsx", "Vulvar Ca");'>Open File</button>
<input type="button" onclick="Open_Excel_File('file://///fs-01\deps\uw\stat%20Data%20and%20Medical%20Information\Statistics\Cancers\Cancer%20Statistics%202018\Cancer%20Statistics%.xlsx', 'VCA');'>OPEN FILE</input>
</div>

THIS IS THE REPLY I RECEIVED ON STACKOVERFLOW:
Also Plone filter out a bounce of potential "nasty" tags through a specific configurable tool. It seems to me that you have injected the in the source HTML of a Page (document) type.

If so, you will see in your browser that in, the page source code, the script tag has been totally stripped away.

So, a correct way to inject some js in your page, is to load it as portal_javascript resource (plone<=4) or in resource_registry (plone>=5).

tha nasty way is to access, in the ZMI, at https://yourseite:8080/Plone/portal_transforms/safe_html/ and configure it to accept script tags inside a document (all document in your site actually).

If this answer does not satisfy you try to ask in the official community:

This is a 'feature' not a bug…

It is a feature to prevent random users to paste potentially evil javascript code into Plone content.
If everybody could add whatever javascript they wanted to a website, it could be used to 'hack the site and/or the visitors'.

Because of this, Plone removes you 'code'.

If you are a admin/ manager (and fully understand what you are doing), you can disable this 'feature' in Plone.
If you disable the filtering (as the reply on stackoverflow), your script and all other (potentially evil) scripts should work.

For this specific site I am not worried about anybody inserting evil javascript as it is only accessible by a few people on a LAN. I tried navigating to the site from the stack overflow post and received this error.

Site Error

An error was encountered while publishing this resource.

Resource not found

Sorry, the requested resource does not exist.

Check the URL and try again.

Resource: Plone GET


Troubleshooting Suggestions

  • The URL may be incorrect.
  • The parameters passed to this resource may be incorrect.
  • A resource that this resource relies on may be encountering an error.

For more detailed information about the error, please refer to the error log.

If the error persists please contact the site maintainer. Thank you for your patience.

@espenmn Reply is above

You can disable filtering (see caveats and warnings above) by going to:

Site Setup > HTML Filtering > Disable HTML Filtering

You do not need to disable HTML filtering. See my answer Disable HTML filtering setting broken on 5.2.0

you can just allow this tags you need in html filtering control panel and leave the rest to be filtered.
This should also have an effect on the tinymce filtering, as this is synced.

1 Like