1-C Bitrix has all security methods active by default. The additional settings of security policy might be required for stable work of some plug-ins including Setka Editor.
Issues that might occur
Proactive 1-C Bitrix security sanitizes posts’ HTML-code - it removes the elements that are considered to be not secure, the ones like <iframe> and scripts that work with the external data sources.
That is how the inbuilt security tool can interrupt the work of all embeds, created via both editors - Setka Editor and the default one.
Ways of solution
Choose one of the possible solutions below or a combination of them. The choice should be made in accordance to the website’s policy requirements and we strongly recommend to make this decision along with your devs team.
Table of contents:
1. Allow the third-party services’ embeds and scripts insertion for the editor
2. Set the exclusions for the Web Antivirus
3. Set the exclusions of the Proactive Filter
4. Turn off the Web Antivirus and and Proactive filter
5. Allow embed insertion for the definite user groups
Step 2: set the access to the data
Step 3: allow the third-party services’ embeds and scripts insertion for the editor
Step 4: set reset cache option
1. Allow the third-party services’ embeds and scripts insertion for the editor
Create custom access level called ‘Proactive Filter Traversal’ for a ‘Proactive Protection’ module. To do that follow the following path: Settings => Users => Access Levels => Add new access level. End it up with the Save button
Open Desktop => Settings => Product Settings => Module Settings => Proactive Protection. In an Access tab choose ‘Proactive Filter Traversal’ option and apply it for the group you have added while Step 1.
2. Set exclusions for Web Antivirus
You can set exclusions for embeds and scripts in the antivirus settings. To do that, in Bitrix admin panel choose Desktop => Settings => Proactive Protection => Web Antivirus => Exclusions.
Here you can also add a part of an HTML-code of the element that is being blocked.
3. Set the exclusions of the Proactive Filter
Once you add the exclusions in a Proactive Filter’s settings, you will be able to remove HTML-code sanitizing for some definite pages of your post. Here is the path: admin panel Desktop => Settings => Proactive Protection => Proactive Filter => Exclusions.
Insert page names for which you want to turn the protection off:
Turn off the Web Antivirus and and Proactive filter
In some cases website’s security allows to turn the scripts and embeds checking off completely.
Before doing this, be sure to consult with your devs team.
To completely turn the security off, you need to do the following:
Open Desktop => Settings => Proactive Protection => Web Antivirus => Turn the Web Antivirus off
Open Desktop => Settings => Proactive Protection => Proactive Filter => Turn the Proactive Protection off
4. Turn off the Web Antivirus and and Proactive filter
In some cases website’s security allows to turn the scripts and embeds checking off completely.
Before doing this, be sure to consult with your devs team.
To completely turn the security off, you need to do the following:
- Open Desktop => Settings => Proactive Protection => Web Antivirus => Turn the Web Antivirus off
- Open Desktop => Settings => Proactive Protection => Proactive Filter => Turn the Proactive Protection off
5. Allow embed insertion for the definite user groups
Set special permissions for your desk editors and content-managers and their posts will not be checked by the security system.
Step 1: add a user group
Create a new group: Desktop => Settings => Users => User groups => Add a group. Set any name in the Name field, e.g. ‘Desk Editors’.
In an Access tab choose Files and Folders Editing for a field Structure Control
Press Save to add a user group.
Step 2: set the access to the data
Give an access to a public part of the website to the user group you added during the previous step:
For /bitrix/admin/ folder set the Reading mode
For /upload/ folder set the Record mode
In the info modules settings, that already can be edited by the user group, set ‘Editing’ as an access level.
In case you use a media library, give your group access to it as well.
Step 3: allow the third-party services’ embeds and scripts insertion for the editor
This step copies the first way of proactive filter traversal
Step 4: set reset cache option
Open Settings => Users => Access Levels. Choose Cache Control level for the main level. Turn other operations on if needed.
Get back to a Desktop => Settings => Users => User Groups and choose the group you created during Step 1.
Go to an Access tab and choose Cache Control in the Main Module field.
Save changes
Done! Now all users from the Desk Editors group can add posts with embeds. HTML-code sanitizing will still be active for other user groups.