#3407: scripts aren't protected while loading content
-------------------------------+--------------------------------------------
Reporter: alfonsoml | Owner: arczi
Type: Bug | Status: assigned
Priority: Normal | Milestone: CKEditor 3.0
Component: General | Version: SVN (CKEditor)
Keywords: Confirmed Review? |
-------------------------------+--------------------------------------------
Changes (by arczi):
* keywords: Confirmed Review- => Confirmed Review?
Comment:
Idea of this patch: Protect content using regexp before anything and
convert it into comments or fake objects.
Usage:
{{{
{
regExp : /regexp/g,
editable : true/false //use fakeElement / protectedElement,
default false
name : "mycode", // used by fakeElement to show in
elementpath
replaceWith : myfunc // custom replace function
className : "myclass" // used by fakeElement, default "cke_code"
},
}}}
and explanation:
{{{
comment.js: because filter.onComment can return object (not only the
comment content) it should use CKEDITOR.htmlParser.fragment().
element.js: filter.onElement() can return text node (i.e. content of the
fakeElement) so writer.text( element.value ) should be used.
filter.js: New private array: regExp : [].
text.js: new attribute in constructor (protect), default null. If true:
don't use value.replace( spacesRegex, ' ' ) and filter.onText( text )
fakeobjects/plugin.js:
In CKEDITOR.editor.prototype.createFakeElement():
Added new attribute (protectContent), default null. Used
in htmlFilterRules.
typeof realElement can be a string
Now we can protect element not only in wysiwyg mode:
var document = this.document || CKEDITOR.document;
CKEDITOR.editor.prototype.createFakeParserElement
Added new attibute (protectContent), default null. Added
for the compatibility with createFakeElement().
elements : $ : function( element ):
if _cke_protect then don't do anything - just return.
htmlDataProcessor/plugin.js:
Added protectSource(). It is called before anything to protect
HTML using filter._.regExp
}}}
Tests (works of course):
{{{
<p>
<script>bhfty<strong>gybf
6t ;()jio)(*&^
%$#sample text
</script> <script language="JavaScript" a=b><!--bhfty<strong>gybf
6t ;()jio)(*&^
%$#sample text
//-->
</script><style><script language="JavaScript"><!--bhfty<strong>gybf
6t ;()jio)(*&^
%$#sample text
//-->
</script></style><?<style><script><!--bhfty<strong>gybf
6t ;()jio)(*&^
%$#sample text
//-->
</script></style>?><?
<style><script><!--bhfty<strong>gybf
6t ;()jio)(*&^</script>
%$#sample text
//-->
</style>
?></p>
}}}
Known issues:
-Due to method:
{{{
<script>
alert("<script><\script>")
</script>
}}}
is parsed wrong. Workaround:
{{{
<script language="JavaScript">
<!--
alert("<script></script>")
//-->
</script>
or
<script>
alert("<script><\/script>")
</script>
}}}
-"code.gif" could be more thoughtful :)
--
Ticket URL: <http://dev.fckeditor.net/ticket/3407#comment:7>
FCKeditor <http://www.fckeditor.net/>
The text editor for Internet
------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image
processing features enabled. http://p.sf.net/sfu/kodak-com
_______________________________________________
FCKeditor-Trac mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fckeditor-trac
