CKEditor does not appear due to ckeditor/xss empty response

Could you post the header and payload of the request with empty response? Can you reproduce in another website? Which filters are being used?

Just came to see if I were alone on the following... not glad I am not alone.. yet, misery does
love company.. (evil grin)

page not found 10/13/2013 - 10:43 ckeditor/xss admin
page not found 10/13/2013 - 10:43 ckeditor/xss admin
page not found 10/13/2013 - 10:43 ckeditor/xss admin
page not found 10/13/2013 - 10:42 ckeditor/xss admin

same bug I guess as the WYSIWYG ed is present initially... but on revision.. forgetaboutit.. no ed and will not save the
changes. It also appears to be looking where CKED isn't living:

Type page not found
Date Sunday, October 13, 2013 - 10:43
User admin
Location http://mydomain.com/ckeditor/xss <------ wrong -----<<<-( actual sites/all/moduals/ckeditor )
Referrer http://mydomain.com/xxxxxx/x/edit
Message ckeditor/xss
Severity warning

If at first you don't succeed.. other than informing others, don't whine, HACK!

Later

Joe - over 66 and still having fun on the web playing in the cyber sandbox.

#7 The path is correct, ckeditor/xss is a path defined in ckeditor_menu(), not a static file.

I have a question about what sort of caching schemes are being used. I have been running across this issue but it is normally due to cache tables not being cleared and the XSS failing.

When I have experienced this problem, I have been installing Expire module (2.x branch) and it resolves the issue as I can force the cache to be cleared for the nodes being created or being updated.

Just my two cents...

#9 worked for me, in a pinch.

#9 solved my issue, even if it's not ideal. Thanks

My issue is slightly different that when I switch from plain text to Full HTML the WYSIWYG would actually load one of the pages on my site into the WYSIWYG. Very odd since I'm not sure why it would call that page.

Anyway disabling the ajax call mentioned in #9 is a temp fix for me now.

Thanks for your help. If I find out any other info I will add it to this issue.

I think the latest version of CKEditor (7.x-1.16) fixes this issue. I have updated my CKEditor and do not need to use the fix mentioned in #9 anymore.

It would be good to confirm if it fixed it for anybody else.

I resolved this using the following.
Initially the Default and Alternate jQuery settings were @ 1.10.
CKEditor didn't work in Full or Filtered.

Drupal 7.32
Bootstrap 7.x-3.0
CKEditor Module 7.x-1.16 - No special settings
jQuery update Module = 7.x-2.4
- Set Default jQuery version = 1.8
- Alternate jQuery version = 1.8
- jQuery and jQuery UI CDN = jQuery, Google or MS

Dropping to 1.8 was the trick.
shrug... I don't know where to find the version I've got installed. :-)

Granitize me!

#14 worked for me, "Dropping to 1.8 was the trick"

#14 Is not working for me.
Checking my console I got the error as

POST http://www.example.com/ckeditor/xss 500 (Internal Server Error) jquery-1.8.2.min.js:2

#9 solved my issue, but it is a temp fix.

Edited:
I found that the problem unique to a content (node), for all other content the editor looks fine.

I also have this issue still with CkEditor 7.1.16 and jQuery Update set to 1.8. (I've tried all versions from 1.5 up). Drupal 7.32

#9 does solve my issue to a degree - CkEditor shows in Full HTML as assigned. It seems however that no matter whether I disable ACF or not, ACF also still removes all my html tags, but this is another issue.

Will #9 be rolled into next release?

I have the same problem as #16 - 500 error.

In my case though it's due to a memory leak which I haven't tracked down yet - Apache error log is full of memory limit errors.

Can confirm that #9 gets around it for now.

#17, no it shouldn't be rolled into the release! it's not a fix, just a hacky workaround (one which I'm thankful for!)

I had issues with filtered not showing the editor.
Just installing jquery_update 7.x-2.4 fixed this for me.
I can set jquery to 1.8, 1.9 or 1.10 all they all work

In my setup I experience trouble: some pages show the ckeditor, some don't. When changing the theme during the editing of a non-functioning page, the ckeditor reappears, the next time it's gone again. (no matter what theme I use). Within PhPAdmin I cannot find any differences between the pages.
Any help?

Fiselier, any js errors in your console on the non-ckeditor pages?

I was getting 500 errors from one field in a field collection on one node. I figured out that the error would only show up when this consecutive string of text from that node was in the field:

selective coating that absorbs solar energy well but inhibits radiative heat loss. The air is withdrawn ("evacuated") from

Do you see the problem?

SELECTive coating that absorbs solar energy well but inhibits radiative heat loss. The air is withdrawn ("evacuated") FROM

Clearly, something is seeing that embedded in my paragraphs of information on solar energy, identifying it as a SQL injection attempt, and doing something stupid. That string produces the problem in any CKEditor field on my site.

Once I figure out the exact problem, I'll probably be raising this with the actual CKEditor people.

Ends up this was mod_security messing things up. It was set to exclude other Drupal paths but not ckeditor/xss. Not sure if is my case is applicable to anything above; sorry.

here are no editor libraries installed currently. The following list contains a list of currently supported editors:
Error
CKEditor (Download) Not installed.
The version of CKEditor could not be detected.

Extract the archive and copy its contents into a new folder in the following location:
sites/all/libraries/ckeditor

So the actual library can be found at:
sites/all/libraries/ckeditor/ckeditor.js

Do NOT download the "CKEditor for Drupal" edition.this error occure

#9 working for me, is a bug

Also just ran into this issue. My console is reporting POST https://mywebsite.com/ckeditor/xss 500 Internal Server Error. Any resolution yet? #9's temp fix (adding false to the beginning of that if statement) works for me, but a more permanent resolution would be preferable.

Prizem, I found that my 500 error was caused by a memory leak which was totally unrelated to CKEditor (in my case, I had temporarily set all user's emails on a dev site to test@test.com or similar, so whenever Drupal tried to load a user by email address it was loading all users, which was a few hundred thousand on the site I was working on) - it might well be that this is not a CKEditor bug but just an indication of a bug somewhere else on your site.

Recently had this issue. The problem only occurred for me when a page had multiple CKEditor instances on it (i.e. more than one text area). Those of you getting blank responses from the XSS post that had upgraded jQuery, this patch might help you to solve your issue without having to downgrade jQuery.

The solution in #2335105: Blank fields after updating jQuery didn't work for me since I am using a newer version of the ckeditor module (1.x-dev) but the hack in #9 did. Since I can't see a more elegant way of getting around this currently I've rolled this into a patch incase others need the same fix.

Again, this is not for review/inclusion but just for the convenience of others suffering from the same Server 500 error.

I'm currently experiencing the same issue on my blog content type.

I have Drupal 7.38 installed with all projects up to date as of this post.

Used to work fine.

Console shows a 522 error on the following .js file

/sites/default/files/js/js_5lrzLVYmzJlz59v8vxohFpYcT_00TebFdDnQv26MYt8.js

#14 worked for me. Thank you philipz for great initial explanation!

I'm having this problem too. Very annoying. Patch from #29 worked for me.

#9 solved my problem, Thank you

#29 patch fixed my problem, does anyone know the root problem though? so we can get a real patch made and committed?

#29 worked for me as well. In my case, the issue was really intermittent. Some pages worked fine consistently, others did not and still others allowed one edit, then the fields with CKEditor enabled came up blank on subsequent edits.

Thanks for the fix!

#29 works for me too. In my case, ckeditor didn't appear only for announces. After applying the patch it work's correctly. Thanks a lot! I'm happy!

I think what's happening here is that the request is actually doing it's job, but triggering an error that's not handled correctly because the POST request is make with async = False. Switching the async flag to true (false is depreciated anyway) on the request resolved the error on my project, and revealed another underlying bug (which I believe is related to custom code in my case). Patch to switch the request mode to a supported mode attached.

Ran into this one again after the latest module update. I tried the patch in #38, but didn't have any luck. Went back to #29 and all is well again.

I tried applying the patch in #38, but it didn't resolve the issue for me either. I went back to the patch at #29 and that did bandaid the problem for now.

I had a similar issue and the cause ended up being an incorrect .htaccess file in the site root.
I re-uploaded the default D7 .htaccess and problem solved.

Thank you so much for patch #29! I had installed the ckeditor module and pointed it at the CDN (//cdn.ckeditor.com/4.5.4/full-all). All was working well in test and development. When I moved the site to production my ckeditor randomly displayed bank fields when editing a page. It would display a blank field for certain multi-field content types and regular blocks. This was intermittent and annoying. A refresh or clicking the back button and trying to edit that content again would sort of fix it. Luckily I had workbench installed which saved us from publishing blank content. The only difference between test and production - test was using system database version 5.5.9 and prod 5.6.23 (on ubuntu). After setting up an identical test environment and poking around on the back end it seemed that the language field was undefined and trying to set it to "en" (english, use the code for your language) helped somewhat but had odd results. I'm posting this here in case there is anyone else out there with this issue, searching for a remedy. Patch 29 fixed it! Although adding the patch did disable the workbench module - now re-enabled and everything works.

#9 solved my problem, Thank you a lot.

I think @acrosman is correct in that it's more an issue with the underlying error, but regardless it would be nice to know the issue directly vs. a mysterious 500 error. In my case it was due to a New Relic request limitation. Once that was fixed, this particular issue was resolved. Have not tried the async suggestion.

Still using the patch in #29 on latest version, #38 didn't work for me.

We found in our case this was being caused by a stale js cache (we use the minify module). Refreshing the stale files (admin/config/development/performance/minifyjs) restored the missing editor.

Just check on my site (which has the same issue). Since CKEditor on my site occasionally works. I compared the difference between those that works and those doesn't.

Study of My Case

1. The pages both a POST request to the XSS path with identical data and almost identical header. Except the successful request includes "Cookie" in header and the failed header doesn't.

2. To make sure, I copied the failure POST request as CURL command, added the "Cookie" header and tried again. It works.

I'm using CKEditor module 7.x-1.17 with Drupal 7.53.

Analysis

The current version (7.x-1.17) of ckeditor_filter_xss() (page callback for the ckeditor/xss path) include these lines:

function ckeditor_filter_xss() {
  header('Content-Type: text/plain; charset=utf-8');
  $GLOBALS['devel_shutdown'] = FALSE;

  if (!isset($_POST['text']) || !is_string($_POST['text']) || !isset($_POST['input_format']) || !is_string($_POST['input_format']) || !isset($_POST['token']) || !drupal_valid_token($_POST['token'], 'ckeditorAjaxCall', FALSE)) {
    exit;
  }

When the request provides no cookie (hence no PHP session), the function drupal_valid_token() (with $skip_anonymous = FALSE) evaluates FALSE. Hence the callback is exit returning empty page.

The function drupal_valid_token() depends on drupal_get_token() to return the current 'ckeditorAjaxCall' token. The function looks like this:

function drupal_get_token($value = '') {
  return drupal_hmac_base64($value, session_id() . drupal_get_private_key() . drupal_get_hash_salt());
}

Notice the session_id() function call. This means the token is hashed against the PHP session_id, which depends on cookies. With a different cookie, the results of drupal_get_token() will be different. Hence a token here is session specific and can only be validated against a given session.

Solution

The notion that ckeditor_filter_xss() depends on a token might expect it to be session in-specific. It is not. The solution would be either:

1. Make sure that the POST call to ckeditor/xss bears the correct cookie; or
2. Check token in a way independent of PHP session.

Had an issue with the string/word "selection" in the the CKEditor text area, used #9 to fix it. Not ideal but it will help me meet my deadline. I would have been completely lost w/o this thread.

A combination of #9 and #14 worked for me. Thanks!

just reducing jQuery update to 1.8 worked for me,

I just ran into this when upgrading PHP and Apache on one of our Drupal servers. The site had been functioning fine for years with only sporadic issues - but this is one of them. #9 worked for us too. Drupal 7.58, MySQL 6, Apache 4 and a big site that was originally upgraded from Drupal 6 years ago. Reducing jQuery didn't make a difference, neither did going to the latest cKeditor 4 (4.9.2), nor dropping back to 3.6.6. We tried a bunch of things, but this was what works. There were no issues with the .htaccess or Apache settings, or php.ini settings.

Update 4/25/18 - This didn't solve the problem. Ckeditor now loads on nodes where this was an issue, but it won't save anything. It still can't find the xss file path - not sure what to do at this point. It's intermittent, but happens often enough that it's a big issue on one client. Any suggestions would be welcome. Drupal is 7.59, ckeditor 7.18, Apache 4, PHP 5.

Thanks #9 worked.

Still using the patch in #29 on latest version: 7.x-2.9. I'm not sure how to go about fixing the underlying problem...

My occurrence of this issue was also related to mod_security and was solved by #23. I added the following to my Apache config (outside of the vhosts so that all sites on the server would be affected) which fixed the issue:

<LocationMatch /ckeditor/xss>
  SecRuleRemoveById 300015
</LocationMatch>

Turns out rule #300015 contains a poorly formed regex pattern.

Just bumped Into this problem in a content type that has a lot of text fields.
#9 still works after all this time. Is this issue solved on D7?

I am running a website through www.CloudFlare.com. After upgrading the site to PHP 7, I started seeing the editor fail to load. This was caused by the editor sending a POST to example.com/ckeditor/xss which returned a 403.

The resolution for me was to add a Page Rule in CloudFlare to "Disable Security". It's a workaround that I don't particularly like because I'd rather know the reason that this issue cropped up in the first place, i.e. what's the difference in how the editor loads in PHP 7 vs. PHP 5.6?

The problem seems to be present with CKeditor 4.22 and drupal core 7.99 where a colon used from msword causes the toolbar to vanish.