views:

2012

answers:

3

Update: I'm thinking the solution to this problem is in CKEDITOR.config.protectedSource(), but my regular-expression experience is proving to be too juvenile to handle this issue. How would I go about exempting all tags that contain the 'preserved' class from being touched by CKEditor?


Is it possible to create a block of code within the CKEditor that will not be touched by the editor itself, and will be maintained in its intended-state until explicitly changed by the user? I've been attempting to input javascript variables (bound in script tags) and a flash movie following, but CKEditor continues to rewrite my pasted code/markup, and in doing so breaking my code.

I'm working with the following setup:

<script type="text/javascript">
  var editor = CKEDITOR.replace("content", {
    height : "500px",
    width : "680px",
    resize_maxWidth : "680px",
    resize_minWidth : "680px",
    toolbar :
    [
      ['Source','-','Save','Preview'],
      ['Cut','Copy','Paste','PasteText','PasteFromWord','-','Print', 'SpellChecker', 'Scayt'],
      ['Undo','Redo','-','Find','Replace','-','SelectAll','RemoveFormat'],
      ['Bold','Italic','Underline','Strike','-','Subscript','Superscript'],
      ['NumberedList','BulletedList','-','Outdent','Indent','Blockquote'],
      ['JustifyLeft','JustifyCenter','JustifyRight','JustifyBlock'],
      ['Link','Unlink','Anchor'],
      ['Image','Table','HorizontalRule','SpecialChar']
    ]
  });
  CKFinder.SetupCKEditor( editor, "<?php print url::base(); ?>assets/ckfinder" );
</script>

UPDATE: I suppose the most ideal solution would be to preserve the contents of any tag that contains class="preserve" enabling much more than the limited exclusives.

+2  A: 

Suggestion 1: Create separate plain textarea for the admin to enter the scripts / HTML code.

Suggestion 2: Introduce a bbcode, like [script][/script] or [html][/html] that the admins can use to put the scripts / HTML code and have your server-side translate them into <script></script> and HTML code. Make sure when showing a saved content into the CKEditor, you need to have your server-side translate them into the bbcode first (or CKEditor will strip them out). Or the less-hassle way is to store the submitted content in the database as it is entered and only do the translation when displaying the page.

Suggestion 3: Since you want to use class="preserve" to mark tags you don't want CKEditor to strip out, then add the following JavaScript lines when initializing the editor:

// protect <anytag class="preserve"></anytag>
CKEDITOR.config.protectedSource.push( /<([\S]+)[^>]*class="preserve"[^>]*>.*<\/\1>/g );
// protect <anytag class="preserve" /><
CKEDITOR.config.protectedSource.push( /<[^>]+class="preserve"[^>\/]*\/>/g );
Lukman
The scripts go with flash elements from time to time, so they will be posted into the editor with the flash elements. Both are getting re-written by CKEditor. The code will be stored in the database, but it it being written through my admin page, using the CKEditor. I'm thinking the solution is with `CKEDITOR.config.protectedSource()` but my regex-experience is a bit dry.
Jonathan Sampson
Edited with `CKEDITOR.config.protectedSource()` regexes :)
Lukman
Thank you, Lukman. I'll give these a whirl when I get home this evening.
Jonathan Sampson
So? Does it work? ;)
Lukman
I'm sorry, Lukman. I had not a chance last night to try it. I will today, surely. Thank you.
Jonathan Sampson
CKEditor seems to ignore this declaration, and continues to corrupt my script tags.
Jonathan Sampson
... even when you put `class="preserve"` in it?
Lukman
Yes. `class="preserve"` is only necessary on the outer-most tag, correct?
Jonathan Sampson
One thing I did change though was in your first expression, I changed `.*` to `(.|\n)*` to accommodate multiple lines. It's still erasing my script tags though.
Jonathan Sampson
+1  A: 

The issue is not with the CKEditor. Instead, the issue was with the MVC-Engine running the Site itself. Kohana has a global_xss_filtering within its configuration that is enabled by default. This prevents the submission of script tags, to prevent scripting-attacks on your site. Changing this value to false will permit the submission of <script> tags in forms, but it also opens up the site to potential security issues that can be very serious. It is advisable that you not disable global_xss_filtering.

/* /(system|application)/config/config.php - line 66 */
/**
 * Enable or disable global XSS filtering of GET, POST, and SERVER data. This
 * option also accepts a string to specify a specific XSS filtering tool.
 */
$config['global_xss_filtering'] = FALSE;
Jonathan Sampson
tch ... why didn't you add 'kohana' tag? i'm a kohana user after all, so i should have been able to help if i've known it was kohana issue. well, too bad for me i didn't get the bounty :P .. at least i learned something new nevertheless
Lukman
Sorry, Lukman :) I was certain it *must* be a CKEditor issue. It wasn't until I decided to start echoing out `$_POST["element"]` instead of `$this->input->post("element")` that I realized my problem was elsewhere :) Almost immediately I thought of XSS, and went straight to the config :)
Jonathan Sampson
A: 

Is it just me or Kohana is cleanning too much?

This is the HTML that's being submited:

<div></div><div style="text-align:center">script</div>

And Kohana simply leaves

<div></div><div></div>

or some other empty tags when there's more text.... I'm gonna do more research on XSS but it seems tome Kohana is just cleaning too much here

EDIT: Using htmlpurifier worked great for me

http://htmlpurifier.org/

PasadenaGuy
@PasadenaGuy This should be a new question. You can ask a new question by visiting the [Ask Question](http://stackoverflow.com/questions/ask) page.
Jonathan Sampson