FCKeditor alters user's data! AJAX callback - XSS filter should not be called if no security filter is selected

Yup, it sounds reasonable, if someone disabled all of them why execute the default filter at all?

Yep this is certainly a problem. I am seeing this as well. It is driving the people nuts.

I see that you have a variable "xss_check" that is used to determine if filtering is needed. I have not been able to locate where this is set so far. I really want it to stop filtering if I say "Don't filter!"

Outside of this error it is a pretty nice module.

Derek

PS: Why does the previous post suggest that this problem was fixed? It is not.

Yeah. I have a very dirty fix too. Basically I set the xss_check variable to 0 (as in Zero or false) right before they are used in the fckeditor.config.js file.

Here:

function Toggle( js_id, textareaID, textTextarea, TextRTE,  xss_check )
{
	var eFCKeditorDiv	= document.getElementById( 'fck_' + js_id ) ;

	if (!fckIsRunning[js_id])
	{
		if (!fckIsLaunching[js_id])
		{
			//display is set to '' at this stage because of IE 800a025e bug
			if (fckIsIE)
			eFCKeditorDiv.style.display = '' ;
			fckIsLaunching[js_id] = true;
			$(".img_assist-button").hide();
			xss_check = 0;
      if (xss_check && $('#' + textareaID).attr('class').indexOf("filterxss2") != -1) {
        $.post(Drupal.settings.basePath + 'index.php?q=fckeditor/xss', {
            text: $('#' + textareaID).val(),
            'filters[]': Drupal.settings.fckeditor_filters[js_id]
          }, 
          function(text) {
            $('#' + textareaID).val(text);
            $('#' + js_id).val(text);
            window[js_id].ReplaceTextarea();
          }
        );
      }
   ... long code edited



And Here:

function FCKeditorReplaceTextarea(textarea_id, oFCKeditor, xss_check)
{
  if ($('#' + oFCKeditor.Config['TextareaID']).length === 0) {
    return;
  }
  $(".img_assist-button").hide();
  xss_check = 0;
  if (xss_check && $('#' + oFCKeditor.Config['TextareaID']).attr('class').indexOf("filterxss") != -1) {
    $.post(Drupal.settings.basePath + 'index.php?q=fckeditor/xss', {
      text: $('#' + textarea_id).val(),
      'filters[]': Drupal.settings.fckeditor_filters[textarea_id]
      }, 
      function(text) {
        $('#' + textarea_id).val(text);
        oFCKeditor.ReplaceTextarea();
      }
    );
  }
  else {
    oFCKeditor.ReplaceTextarea();
  }
} 

This is really odd too. I don't remember having this happen earlier.

Hope this helps, and thanks hmfireball!

Derek

The status was already set to fix, my fault I that didn't wrote that I have already fixed it in CVS :)
Could you please download the latest dev release and let me know whether it works as expected?

btw. here's the diff (please, use the whole new module instead of applying it manually):
http://cvs.drupal.org/viewvc.py/drupal/contributions/modules/fckeditor/f...

6.x-2.x-dev if you have used 6.x-2.0-alpha5
6.x-1.x-dev if you have used 6.x-1.3-rc7
5.x-2.x-dev if you have used 5.x-2.2-rc7

...and if you have used 6.x-2.x-dev, then use the latest 6.x-2.x-dev (2009-Feb-17)

Ahh correct, sorry for providing the wrong code to test :/

There is a slight difference between how FCKeditor profile is saved in 6--1 and 6--2. I have simply copied the code that worked in 6--1, but it turned out that was a bad idea.

Could you download the latest version of fckeditor.modue for 6--2 here:
http://cvs.drupal.org/viewvc.py/drupal/contributions/modules/fckeditor/f...

(in short, in 6--2 we have an information about all filters in $_fckeditor_configuration[$textarea_id]['filters'], regardless of whether they are disabled or not, so additional checks are necessary to see if they are actually enabled (whether the value is 0 or 1))