Embedding iframe and avoiding <invalidtag>

OS: Windows Server 2012 R2
Java Version: 11.07
Tomcat Version: 9.0.35
Lucee Version:

Part of our application allows users to embed an <iframe into a text area that then gets saved as a blog post. The Lucee script protection is turned on and will strip the <iframe part of the markup to <invalidtag when it is saved. I understand Lucee is trying to save us from malicious users.

I can turn off form scope script protection in Lucee Administrator. But we would rather not turn protection off.

Does anyone have a suggestion for a safer way to allow users to embed videos into their blog posts? My initial thought is to accept the settings for embedding a video and then have our source code handle the embedding of the iframe rather than allowing the users to upload markup to our database.


I think you can access the unfiltered values by dividing into the GetHttpRequestServlet() innards, at your own risk!

I had the same issue recently and wrote a simple UDF to override the script protection by reversing its effect on specific tags in specific input strings.

string function overrideScriptProtect( required string input, required string listAllowedElements ){
	for( var element in arguments.listAllowedElements ){
		arguments.input = arguments.input.REReplaceNoCase( "<invalidTag([^<]*</#element#>)", "<#element#\1", "ALL" );
  return arguments.input;

Example usage:

contentPreservingIframes = overrideScriptProtect( form.content, "iframe" );

A bit kludgy, but it means you can keep the general script protection in place.

1 Like