[Infusion-users] Rich text inline editor and allowed tags

Jennifer Bourey jennifer.bourey at gmail.com
Thu May 27 22:43:51 UTC 2010


Thanks!  That definitely helped get me closer.  I now have the script element showing up in the markup in the preview div.  The code I'm using is essentially the following:

    myportlet.scriptEnablingViewAccessor = function (element) {
        return {
            value: function (newValue) {
                if (newValue) {
                    element.innerHTML = newValue;
                    return $(element);
                } else {
                    return element.innerHTML;
                }
            }
        };
    };

The problem I'm facing now is that while the preview is updated, the submitted form field value is still missing the script tag.  Any ideas?

- Jen


On May 27, 2010, at 12:38 PM, Antranig Basman wrote:

> Yes, it does. The place to customise this behaviour is in the "viewAccessor" for the particular integration. The default set up for the rich text integrations is "fluid.inlineEdit.richTextViewAccessor" which you can see in InlineEdit.js simply defers to jQuery.html(). You could make an alternative accessor that simply assigns to element.innerHTML - but make sure to test it on IE :) If you get something working as you would like, please do contribute it back on a JIRA -
> cheers,
> A.
> 
> Jennifer Bourey wrote:
>> Hey Antranig,
>> The two problematic observations I've had so far are as follows:
>> 1. When the form is ultimately submitted to the server, the submitted data is missing any script elements.
>> 2. If I press "save" in the inline edit component, then attempt to re-edit the content (without submitting or refreshing the page), my script tags have disappeared from the source view of the CKEditor.
>> I suspect the behavior you describe might well be related to the problem we're seeing.  I don't know much about what the Fluid inline edit components do once I press "save," but I'd wondered if perhaps they call html() on the preview container, which then drops the script tags?
>> - Jen
>> On May 27, 2010, at 11:25 AM, Antranig Basman wrote:
>>> Hi there Jen - I'm not sure exactly how you are "observing" that the script tags are going missing - perhaps you could describe the exact steps you are performing?
>>> I am wondering though if what you might be observing is the default effect of JQuery on performing document manipulation. It makes various attempts to be "helpful" when you paste markup into the document, for example using the html() method, which all eventually end up (at least in 1.4.x) bottling into the domManip() method. As you may see, this does various elaborate things to the markup, including explicitly hooking out any <script> blocks and making attempts to evaluate them by various strategies. They do not appear explicitly in the DOM after this process.
>>> 
>>> We discovered in our engage work that this strategy is not always entirely reliable and in many cases it is better to go back to raw DOM methods for some cases (although depending on the exact markup, this can be hazardous - there are lots of cases where IE will barf or even crash hard on receiving some kinds of "incomplete" markup such as table rows).
>>> 
>>> This may be totally unrelated to what you are seeing, but perhaps not.
>>> Cheers,
>>> A.
>>> 
>>> Jennifer Bourey wrote:
>>>> Hey Colin,
>>>> Thanks for the pointers!  That's a really useful document to know about, especially since it seems like some of the configuration has changed since earlier versions of FCKeditor.  After quite a bit of debugging, I think I've determined that the script tag already seems to be protected.  When I set up a simple CKEditor instance and submitted it to a PHP page, the script tag did seem to show up in the submitted form value.
>>>> I've also discovered that if I add the following event handler to the fluid rich text editor component, the printed result includes the script tag:
>>>> afterFinishEdit: function(newVal, old, edit, view){
>>>>      console.log($(".flc-inlineEdit-editContainer textarea").val());
>>>> }
>>>> From my debugging, it looks like the component's model is updated as well.  I have to admit that I'm not entirely sure what's going on here.  I haven't quite been able to track down the code that updates any required form fields, but perhaps that might be where the issue lies?
>>>> - Jen
>>>> On May 26, 2010, at 8:03 AM, Colin Clark wrote:
>>>>> Hey,
>>>>> 
>>>>> It is indeed the CKEditor that is stripping out your script tags. Their documentation isn't wicked, but I can sort of intuit that this configuration option might do the trick for you:
>>>>> 
>>>>> http://docs.cksource.com/ckeditor%5Fapi/symbols/CKEDITOR.config.html#.protectedSource
>>>>> 
>>>>> It seems to want a regular expression that matches all the stuff you don't want it to strip out. We expose CKEditor editor's configuration options via Inline Edit's "CKEditor" option, so you should be able to specify it there. If you need to get access to the CKEditor instance itself, you can use the fluid.inlineEdit.CKEditor.getEditor(editFieldElement) function.
>>>>> 
>>>>> Hope this helps,
>>>>> 
>>>>> Colin
>>>>> 
>>>>> On 2010-05-26, at 12:43 AM, Eli Cochran wrote:
>>>>> 
>>>>>> Jen,
>>>>>> I haven't researched it but I'm betting that it's CKEditor that doing the stripping. And I don't know if it's a setting that can be changed. Allowing a user to add a script is usually considered a security risk so I'm not surprised that they'd strip them out.
>>>>>> 
>>>>>> - Eli
>>>>>> 
>>>>>> On May 25, 2010, at 3:18 PM, Jennifer Bourey wrote:
>>>>>> 
>>>>>>> Hi folks,
>>>>>>> 
>>>>>>> I've been playing with the rich text inline editor and was hoping someone might be able to help me figure out how to allow script tags.  It seems like right now if I enter javascript into the editor it's magically stripped out of the content.  I wasn't quite sure if CKEditor was doing that, or if Fluid was.  Either way, does anyone know how to prevent the editor from sanitizing HTML input?  We're already cleaning input on the backend, and I think it'll be easier to only require adopters to edit the content rules in one place.
>>>>>>> 
>>>>>>> Thanks!
>>>>>>> 
>>>>>>> - Jen
>>>>>>> _______________________________________________
>>>>>>> Infusion-users mailing list
>>>>>>> Infusion-users at fluidproject.org
>>>>>>> http://fluidproject.org/mailman/listinfo/infusion-users
>>>>>> . . . . . . . . . . .  .  .   .    .      .         .              .                     .
>>>>>> 
>>>>>> Eli Cochran
>>>>>> manager of user experience design
>>>>>> ETS, UC Berkeley
>>>>>> 
>>>>>> "A designer knows he has achieved perfection not when there is nothing left to add, but when there is nothing left to take away."
>>>>>> - Antoine De Saint-Exupery
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> _______________________________________________
>>>>>> Infusion-users mailing list
>>>>>> Infusion-users at fluidproject.org
>>>>>> http://fluidproject.org/mailman/listinfo/infusion-users
>>>>> ---
>>>>> Colin Clark
>>>>> Technical Lead, Fluid Project
>>>>> http://fluidproject.org
>>>>> 
>>>> ------------------------------------------------------------------------
>>>> _______________________________________________
>>>> Infusion-users mailing list
>>>> Infusion-users at fluidproject.org
>>>> http://fluidproject.org/mailman/listinfo/infusion-users
>> _______________________________________________
>> Infusion-users mailing list
>> Infusion-users at fluidproject.org
>> http://fluidproject.org/mailman/listinfo/infusion-users
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://fluidproject.org/pipermail/infusion-users/attachments/20100527/bc0fdc13/attachment.html>


More information about the Infusion-users mailing list