I've disabled all filters in FCKeditor settings.
But FCKeditor keeps altering original content when I save then edit then save again and so on.
I just want FCKeditor to use the content of the textarea as is, without filtering it.

Comments

Title:FCKeditor alters user's data!FCKeditor alters user's data! AJAX callback - XSS filter should not be called if no security filter is selected

AJAX callback - XSS filter should not be called if no security filter is selected

Status:Active» Fixed

Yup, it sounds reasonable, if someone disabled all of them why execute the default filter at all?

Status:Fixed» Needs work

Yep this is certainly a problem. I am seeing this as well. It is driving the people nuts.

I see that you have a variable "xss_check" that is used to determine if filtering is needed. I have not been able to locate where this is set so far. I really want it to stop filtering if I say "Don't filter!"

Outside of this error it is a pretty nice module.

Derek

PS: Why does the previous post suggest that this problem was fixed? It is not.

A dirty fix is to change this function in fckeditor.module:

<?php
/**
* AJAX callback - XSS filter
*/
function fckeditor_filter_xss() {
 
$GLOBALS['devel_shutdown'] = FALSE;
  if (!isset(
$_POST['text']) || !is_string($_POST['text']) || !is_array($_POST['filters'])) {
    exit;
  }
 
$text = $_POST['text'];
 
/* commented
  $text = strtr($text, array('<!--' => '__COMMENT__START__', '-->' => '__COMMENT__END__'));
  foreach ($_POST['filters'] as $module_delta) {
    $module = strtok($module_delta, "/");
    $delta = strtok("/");
    $format = strtok("/");
    if (!module_hook($module, 'filter')) {
      continue;
    }
    //built-in filter module, a special case where we would like to strip XSS and nothing more
    if ($module == 'filter' && $delta == 0) {
      preg_match_all("|</?([a-z][a-z0-9]*)(?:\b[^>]*)>|i", $text, $matches);
      if ($matches[1]) {
        $tags = array_unique($matches[1]);
        $text = filter_xss($text, $tags);
      }
    }
    else {
      $text = module_invoke($module, 'filter', 'process', $delta, $format, $text);
    }
  }
  $text = strtr($text, array('__COMMENT__START__' => '<!--', '__COMMENT__END__' => '-->'));
*/
 
echo $text;
  exit;
}
?>

Yeah. I have a very dirty fix too. Basically I set the xss_check variable to 0 (as in Zero or false) right before they are used in the fckeditor.config.js file.

Here:
function Toggle( js_id, textareaID, textTextarea, TextRTE,  xss_check )
{
var eFCKeditorDiv = document.getElementById( 'fck_' + js_id ) ;
if (!fckIsRunning[js_id])
{
if (!fckIsLaunching[js_id])
{
//display is set to '' at this stage because of IE 800a025e bug
if (fckIsIE)
eFCKeditorDiv.style.display = '' ;
fckIsLaunching[js_id] = true;
$(".img_assist-button").hide();
xss_check = 0;
      if (xss_check && $('#' + textareaID).attr('class').indexOf("filterxss2") != -1) {
        $.post(Drupal.settings.basePath + 'index.php?q=fckeditor/xss', {
            text: $('#' + textareaID).val(),
            'filters[]': Drupal.settings.fckeditor_filters[js_id]
          },
          function(text) {
            $('#' + textareaID).val(text);
            $('#' + js_id).val(text);
            window[js_id].ReplaceTextarea();
          }
        );
      }
   ... long code edited
And Here:
function FCKeditorReplaceTextarea(textarea_id, oFCKeditor, xss_check)
{
  if ($('#' + oFCKeditor.Config['TextareaID']).length === 0) {
    return;
  }
  $(".img_assist-button").hide();
  xss_check = 0;
  if (xss_check && $('#' + oFCKeditor.Config['TextareaID']).attr('class').indexOf("filterxss") != -1) {
    $.post(Drupal.settings.basePath + 'index.php?q=fckeditor/xss', {
      text: $('#' + textarea_id).val(),
      'filters[]': Drupal.settings.fckeditor_filters[textarea_id]
      },
      function(text) {
        $('#' + textarea_id).val(text);
        oFCKeditor.ReplaceTextarea();
      }
    );
  }
  else {
    oFCKeditor.ReplaceTextarea();
  }
}

This is really odd too. I don't remember having this happen earlier.

Hope this helps, and thanks hmfireball!

Derek

Status:Needs work» Fixed

The status was already set to fix, my fault I that didn't wrote that I have already fixed it in CVS :)
Could you please download the latest dev release and let me know whether it works as expected?

btw. here's the diff (please, use the whole new module instead of applying it manually):
http://cvs.drupal.org/viewvc.py/drupal/contributions/modules/fckeditor/f...

Should we download the last 6.x-2.x-dev version?

6.x-2.x-dev if you have used 6.x-2.0-alpha5
6.x-1.x-dev if you have used 6.x-1.3-rc7
5.x-2.x-dev if you have used 5.x-2.2-rc7

...and if you have used 6.x-2.x-dev, then use the latest 6.x-2.x-dev (2009-Feb-17)

Status:Fixed» Active

Sorry, it still doesn't work.
Applying the "fix" above, it works again.

Ahh correct, sorry for providing the wrong code to test :/

There is a slight difference between how FCKeditor profile is saved in 6--1 and 6--2. I have simply copied the code that worked in 6--1, but it turned out that was a bad idea.

Could you download the latest version of fckeditor.modue for 6--2 here:
http://cvs.drupal.org/viewvc.py/drupal/contributions/modules/fckeditor/f...

(in short, in 6--2 we have an information about all filters in $_fckeditor_configuration[$textarea_id]['filters'], regardless of whether they are disabled or not, so additional checks are necessary to see if they are actually enabled (whether the value is 0 or 1))

Status:Active» Fixed

It seems that it works now. Thank you very much :-)
Instead of unchecking security filters in settings,
It would be nice to check a new radio button below:

Security settings :
Always run security filters for FCKeditor.
Run security filters only when FCKeditor is set to start automatically.
Never run security filters for FCKeditor.

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.