[Infusion-users] Rich text inline editor and allowed tags

Jennifer Bourey jennifer.bourey at gmail.com
Thu May 27 15:15:08 UTC 2010


Hey Colin,

Thanks for the pointers!  That's a really useful document to know about, especially since it seems like some of the configuration has changed since earlier versions of FCKeditor.  

After quite a bit of debugging, I think I've determined that the script tag already seems to be protected.  When I set up a simple CKEditor instance and submitted it to a PHP page, the script tag did seem to show up in the submitted form value.

I've also discovered that if I add the following event handler to the fluid rich text editor component, the printed result includes the script tag:

  afterFinishEdit: function(newVal, old, edit, view){
       console.log($(".flc-inlineEdit-editContainer textarea").val());
  }

From my debugging, it looks like the component's model is updated as well.  I have to admit that I'm not entirely sure what's going on here.  I haven't quite been able to track down the code that updates any required form fields, but perhaps that might be where the issue lies?

- Jen


On May 26, 2010, at 8:03 AM, Colin Clark wrote:

> Hey,
> 
> It is indeed the CKEditor that is stripping out your script tags. Their documentation isn't wicked, but I can sort of intuit that this configuration option might do the trick for you:
> 
> http://docs.cksource.com/ckeditor%5Fapi/symbols/CKEDITOR.config.html#.protectedSource
> 
> It seems to want a regular expression that matches all the stuff you don't want it to strip out. We expose CKEditor editor's configuration options via Inline Edit's "CKEditor" option, so you should be able to specify it there. If you need to get access to the CKEditor instance itself, you can use the fluid.inlineEdit.CKEditor.getEditor(editFieldElement) function.
> 
> Hope this helps,
> 
> Colin
> 
> On 2010-05-26, at 12:43 AM, Eli Cochran wrote:
> 
>> Jen,
>> I haven't researched it but I'm betting that it's CKEditor that doing the stripping. And I don't know if it's a setting that can be changed. Allowing a user to add a script is usually considered a security risk so I'm not surprised that they'd strip them out. 
>> 
>> - Eli 
>> 
>> On May 25, 2010, at 3:18 PM, Jennifer Bourey wrote:
>> 
>>> Hi folks,
>>> 
>>> I've been playing with the rich text inline editor and was hoping someone might be able to help me figure out how to allow script tags.  It seems like right now if I enter javascript into the editor it's magically stripped out of the content.  I wasn't quite sure if CKEditor was doing that, or if Fluid was.  Either way, does anyone know how to prevent the editor from sanitizing HTML input?  We're already cleaning input on the backend, and I think it'll be easier to only require adopters to edit the content rules in one place.
>>> 
>>> Thanks!
>>> 
>>> - Jen
>>> _______________________________________________
>>> Infusion-users mailing list
>>> Infusion-users at fluidproject.org
>>> http://fluidproject.org/mailman/listinfo/infusion-users
>> 
>> . . . . . . . . . . .  .  .   .    .      .         .              .                     .
>> 
>> Eli Cochran
>> manager of user experience design
>> ETS, UC Berkeley
>> 
>> "A designer knows he has achieved perfection not when there is nothing left to add, but when there is nothing left to take away."
>>   - Antoine De Saint-Exupery
>> 
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> Infusion-users mailing list
>> Infusion-users at fluidproject.org
>> http://fluidproject.org/mailman/listinfo/infusion-users
> 
> ---
> Colin Clark
> Technical Lead, Fluid Project
> http://fluidproject.org
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://fluidproject.org/pipermail/infusion-users/attachments/20100527/60a4ba0c/attachment.html>


More information about the Infusion-users mailing list