Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
Attached is a patch that hopefully makes it more clear what the security setting is and why it should be set.
Comment | File | Size | Author |
---|---|---|---|
security_text.patch | 2.93 KB | Steve Dondley |
Comments
Comment #1
armyofda12mnkeys CreditAttribution: armyofda12mnkeys commentedJust copied and pasted into module since it was one line...
code needs a matching closing parenthesis below, otherwise code errors i beleive:
.... before outputting it to the screen.")
Looks good, maybe rephrase some of this, not sure.
...Drupal will not, however, filter data for administrator's editing a textarea ....
Administrator usu reminds me of only the super-user, maybe content-creators/editor's/fck-users?
Maybe let user know other reason FCK will ignore settings...
change:
...Note that if a textarea's input format is set to \"Full HTML,\" FCKeditor will properly ignore the setting below...
to:
Note that if a textarea's input format is set to \"Full HTML\" (or if the input format of the node doesnt include the filter), FCKeditor will properly ignore the setting below.
Comment #2
wwalc CreditAttribution: wwalc commentedThank for a patch, I have corrected it a bit following armyofda12mnkeys suggestions and committed it to CVS.
Comment #4
Gary Feldman CreditAttribution: Gary Feldman commentedI'm reopening this because there are two typos in it. The term content editor's appears twice, and in both cases, the apostrophe should be removed (i.e., it should be content editors).
But I found this thread while checking to make sure the typos hadn't already been reported, and I see that the wording issue had been discussed earlier. I'm still not happy with it. It should just be users instead of content editors, because Drupal doesn't have any such built-in role, and because the role isn't relevant; it applies to anybody editing text with FCkeditor. My first reading made me think that I needed different settings for content editors and ordinary users.
The real issue is that core Drupal can filter text typed by the user before it gets inserted into the database, while these setting refer to filtering text that's already in the database but before displaying it in FCKeditor. It's necessary because there are situations when it's safe to have HTML included in content if it's only going to be displayed in a plain text area, but unsafe when it's displayed by a WYSIWYG editor. I think the first two paragraphs could be replaced by something simpler that just makes the point that these filter on the way out, not the way in.
Thanks,
Gary
Comment #5
Jorrit CreditAttribution: Jorrit commentedI have changed it in 2.x-dev to