I'm writing a non-cached filter (filter is applied every time the text is loaded, rather than saved) using hook_filter_info() and related functions. Right now the filter works great with the standard Drupal editor and Wysiwyg module. But for some reason, CKEditor is applying my filter when the text is loaded, which makes my filter useless. Is CKEditor processing filters when it loads the editor? How can I disabled this behavior for my module? Can this be fixed?

The details of my filter can be found here.

CommentFileSizeAuthor
#5 ckeditor-security_alter_hook-1327898-5.patch1.24 KBgrasmash

Comments

dwieeb’s picture

dwieeb commented
Category: support » bug
Status: Active » Needs work

The same behavior is occurring with the Token Filter module.

dwieeb’s picture

dwieeb commented
Version: 7.x-1.4 » 7.x-1.8
Status: Needs work » Fixed

It appears to be fixed in 1.8.

mkesicki’s picture

mkesicki commented
Status: Fixed » Closed (fixed)
grasmash’s picture

grasmash commented
Version: 7.x-1.8 » 7.x-1.x-dev
Issue summary: View changes
Status: Closed (fixed) » Active

This behavior is still occurring on the latest dev.

grasmash’s picture

grasmash commented
Status: Active » Needs review
StatusFileSize
new ckeditor-security_alter_hook-1327898-5.patch1.24 KB

This problems stems from ckeditor_filter_xss(), which is called when CKEditor is loaded. It gets a list of $format_filters and $security_filters for the input_format, and applies them when the editor is loaded.

This is different from the way that Drupal core is designed to handle input formats. Core's approach is to allow users to input content relatively unmolested (save SQL injection sanitization) and then filter the value upon display. If a user were to re-edit the content, they'd see the original input in the textarea. CKEditor does not follow this approach, and thereby creates a very confusing editor experience.

Take this scenario as an example:

  • admin enters invalid html (an img tag without an alt attribute) into ckeditor and clicks save
  • a formatter recognizes that the img tag is invalid and does not display it
  • the admin realizes that his/her code is not working as expected and re-edits the node
  • the entire img tag is now missing from the editor. no warning/error was displayed, and their content has disappeared

These filters should not be applied when CKEditor loads. A few suggestions for ways to make this configurable:

  • Introduce a variable that would allow security filters to be toggled off
  • Introduce an alter hook that would allow security filters to be selectively manipulated (E.g., unset)
jcisio’s picture

jcisio commented
Title: Does CKEditor process filters on load? » Allow modules to modify security filters list
Category: Bug report » Feature request
Status: Needs review » Fixed

  • Commit 71d53be on 7.x-1.x authored by grasmash, committed by jcisio: 
    Issue #1327898: Adding new ckeditor_security_filter_alter() hook....
jcisio’s picture

jcisio commented

Committed and pushed. Thanks!

  • Commit cdc6f03 on 7.x-1.x authored by grasmash, committed by wwalc: 
    Issue #1327898: Adding new ckeditor_security_filter_alter() hook (...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.