Hello, I've installed the modules ckeditor_syntaxhighlighter https://drupal.org/project/issues/2157351 and syntaxhighlighter 7.x-2.0. I'm using Drupal core 7.26. These seem to be working correctly when I an editing the body. But when I save the code changes the attribute to <pre> tags. Thus when a <pre class="brush:bash;"> is in the original text the saved text contains just <pre class="bash;">.

Comments

ostami’s picture

ostami CreditAttribution: ostami commented
Issue summary: View changes
Wim Leers’s picture

Wim Leers
Location Ghent 🇧🇪🇪🇺
CreditAttribution: Wim Leers at Acquia commented
Project: Drupal core » CKEditor Syntax Highlighter
Version: 7.26 » 7.x-1.0
Component: filter.module » Code

The html_filter interprets brush:bash; as a URL, and brush is not a safe protocol, so it is stripped.

The syntaxhighlighter filter should protect its code blocks.

ao2’s picture

ao2 CreditAttribution: ao2 as a volunteer commented
Status: Active » Closed (outdated)

The Drupal core issue where this is discussed is #2544110: XSS attribute filtering is inconsistent and strips valid attributes, adding the class attribute to the list of safe attributes would solve the issue.

However the issue is already worked around in the official Syntax Highlighter Drupal module for filtered formats, so just use that one instead of https://www.drupal.org/sandbox/eduardoa/2157351

Closing as outdated.