By lhtown on

I just installed FCKeditor on a 500-1,000 page content site. On my Linux system it worked well with Firefox as well as in IE6 under wine. However, the other administrator of the site is using Vista with IE7. Also, he has Skype installed.

The problem we are having is that when he edits a page that contains telephone numbers, Skype (I am assuming that he has some sort of browser add-on installed, although he doesn't recall installing it) on his computer adds about two paragraphs worth of garbage html code to our source code around each and every phone number. Worse yet, this code doesn't show up in the WYSIWYG editor window, but does show up in the source code and doesn't get filtered out.

We can disable Skype on his computer, but we are wanting to open the site up for more people to edit it.

I don't have access to his computer, but it seems like Skype has a huge, glaring bug that it would fill in an html textarea with its garbage, but it also seems like a huge security problem that FCKeditor evidently isn't validating the source html code that is going into my database.

BTW, we are using the 2.5 beta code from FCKeditor.

I realize this doesn't seem to be distinctly a Drupal problem, but I know that this is a popular editor with Drupal.

Is there a fix? Is TinyMCE editor better security wise? Any suggestions?

Categories: Drupal 5.x

Comments

gpk’s picture

gpk commented

This looks like the Skype "toolbar" that dives in and turns anything on a web page that looks like a phone number into a glitzy button that lets you phone the number now using Skype.

Suggest you just disable the toolbar - you can still use Skype as before.

gpk
----
www.alexoria.co.uk

gpk
----
www.alexoria.co.uk

lhtown’s picture

lhtown commented

We can disable the toolbar for now since we only have one editor who is having trouble.

However, that leaves us with three questions.
1. What do we do when we open editing up to hundreds of completely non-tech-savy registered users who might have the Skype toolbar installed?
2. If all of this garbage can get it, what else could get in unawares and why is it not being sanitized? I haven't reviewed the FCKeditor Javascript code yet, but it appears that there are no checks.
3. What is Skype thinking allowing their script to write to a textarea?

gpk’s picture

gpk commented

1. Give all the users clear instructions about how to disable/remove the toolbar. Hardly ideal, I know ...
2. I've not examined the HTML code that the toolbar wraps round the phone number. It may not be any different from code that a user might want to insert by hand. Possibly you can customise the editor to filter it out. (Some customisation of filtering is possible with TinyMCE, but I've not used FCKeditor so can't comment on its capabilities.)
3. Good question!

Some browser toolbars also do various monitoring of user behaviour and report back to base ... (e.g. this is how Alexa calculates its rankings and IIRC how Google determines click-thru rates on organic search results, which they then use to modify pagerank.)

gpk
----
www.alexoria.co.uk

gpk
----
www.alexoria.co.uk