What is the name of the editor? You should be able to override that behavior

Or, the name of the CMS . . . many have an setting somewhere for "use rich text editor" that turns the JS editors on or off. You can turn it back on when you are done.

An alternative - a much better one actually, as long as the script is not required to run inline - is to put your Javascript in an external file and add the include to the head of the templates.

It's a wacky custom built editor with no access to the boilerplate files.

The only checks though are pretty limiting...

The javascript will only trigger if one of two strings are found:

'</script>'

...or...

'<script '

Isn't there another way to express a javascript include without using either of those two string literal...even if the script tag is a 'little broken'? Seems like hackers do this all the time, but when I need to do this for a legit reason, I'm having the darnedest time.

Have you tried html entities?

<script%gt;

<⁄script%gt;

Warning: Client restrictions like this may seem like something you just need to work around, but they may respond differently. Your client may not take kindly to your exposing a gaping hole in their filter script. They may become convinced you've "hacked" their system instead of blaming the original developer for putting a slipshod filter into a production environment.

In other words, proceed at your own risk. :)

First, you may be able to simply disable javascript in your browser then submit the data. If they aren't doing server-side filtering, then your existing code could slip right through.

Second, given the assumptions they allow html tags and they allow attributes on those elements without any other filtering, this code may work...

<div style="position:absolute; top: 0; left: 0; height: 100%; width: 100%;" id="loadscript" onmouseover="(function() { var si = document.createElement('script'); si.type = 'text/javascript'; si.async = true; si.src = '/mobileredirect.js'; var s = document.getElementsByTagName('head')[0]; s.appendChild(si); var di = document.getElementById('loadscript'); di.parentNode.removeChild(di); })();" ></div>

Comments below on what each part does:

// if they don't allow a div, use <b> and add "display: block;" to the style attribute
<div

// give it a style that will make it fill the entire screen
style="position:absolute; top: 0; left: 0; height: 100%; width: 100%;"

// give it a handle to reference later
id="loadscript"

// the onmouseover event should trigger right away since it fills the screen
onmouseover="(function() {

// create a new script element, set it's various values
var si = document.createElement('script'); si.type = 'text/javascript'; si.async = true; si.src = '/mobileredirect.js';

// add it to the head of the document
var s = document.getElementsByTagName('head')[0]; s.appendChild(si);

// find the loadscript div and delete it so it doesn't interfere with the user
var di = document.getElementById('loadscript'); di.parentNode.removeChild(di);
})();" ></div>

I'm sure there are a dozen more elegant ways to do it, but that's the first thing I hacked together. :)

Thanks for all the suggestions guys...eventually just went with a simple solution...I inserted extra tabs to confuse the filter and that did the trick :)

<script`tab`src="http://foxhillrvpark.adlitwebsolutions.com/mdetect.js"></script`tab`> 

Works in IE and FF too :)

lol @ that working