Hi,
Any way to run scripts in posts limited only to admins?
I have tried setting it up before only to crash my site in PuTTY.
Have a good wednesday
Olle
There was a post regarding this matter a couple of years ago but I am hopeful if there is a way to do this.
https://meta.discourse.org/t/adding-a-javascript-in-a-post/130019/3
Olle
@Olle11 it might help if you go into more detail on what you are trying to achieve.
Thereās no way to allow this on an ad hoc basis via the Composer, but depending on your use case there might be ways around it.
For example, the Poll plugin essentially runs javascript in a Post (amongst other things)
2 Likes
I am hoping to run a script through HTML or React that can show widgets live in the top posts.
For example a widget showing the live weather in a city through a HTML widget script.
Is the Poll plugin usable for this case?
Best regards
Olle
1 Like
No I was just using that as an example. Take a look at its source code.
You could try using an iFrame if you can host the JavaScript elsewhere.
If you want tight integration you will need to consider using EmberJS.
3 Likes
This is probably the most accessible answer if you want content in the post as opposed to, for example, a banner at the top.
For example, I picked one of the front page items off CodePen (since itās in our allowed_iframes) and embedded it below:
6 Likes
It seems like the script I need wont allow iframe due to X-FRAME-Options: DENY.
1 Like
Perhaps something along these lines to allow a script running in Discourse @merefield @supermathie?
App.yml:
DISCOURSE_ALLOW_UNSAFE_HTML: true
- volume:
host: /var/discourse/shared/standalone/nginx_custom.conf
guest: /etc/nginx/conf.d/custom.conf
Nginx configuration for CSP:
add_header Content-Security-Policy āscript-src āselfā āhttps://webadress.comā āunsafe-inlineā āunsafe-evalā;ā;
I am trying to add the Nginx configuration but both āunsafe-inlineā and the https will not show up in the CSP when checking with curl. āunsafe-evalā adds through admin.
Edit: NOT SAFE
Removing the protections Discourse has in place to prevent this is a terrible idea.
Thatās why everyone is trying to steer you to the suggested ways of doing this.
You should be using a theme or theme component to add scripts to pages.
6 Likes
Can I use a theme or a theme component to add script to a post?
How can I include āunsafe-inlineā in the CSP to make the script work?
You could. The script itself would need to sit outside of the post, or perhaps you could have it decorate specific aspects of posts.
Itās hard to know exactly what you want without specifics.
This is a bad idea and you should not do it.
4 Likes
Regarding the CSP and what I added to app.yml I will remove the unsafe_html: true, the nginx volume and the nginx configuration for CSP from the site because it is not safe.
Maybe a theme component works hmm
Exactly what script do you want to run?
Where do you want to run it?
Is it to be on a particular post? Or somewhere else in the page? What parameters need to be passed? Is it different in every post? Category?
2 Likes
Iframe might work. I do need to update the CSP and unsafe_html so the website is safe because CSP and the other solutions i tried are not safe
Thanks for the input. Iframe might work at least for now until i find a better solution.
Looking at the script, you canāt run it globally. It requires loading on place with options.
I made a simple TC: GitHub - Arkshine/discourse-tradingview-chart
To make it easy to change the options, you can copy and paste them from the site directly inside the [wrap]..[/wrap].
By default, it forces the aspect-ratio to be 16/9, it will take all the width space, and the height is automatic. The script allows specifying a width/height, it will work as well.
I would suggest using show_popup_button: true option. It will provide you with a way to view the chart in fullscreen in a new window.
I added two options:
5 Likes
Sorry, but just a 
isnāt enough to convey . . .
Dude. Thatās awesome.
1 Like