Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
When using memcache stats, for some reason they are added to each CK editor field in node edit, and when saved, nodes are full of stats.
Comment | File | Size | Author |
---|---|---|---|
#5 | memcache-ck_editor_memcache_stats_bug-2556999-4-7.patch | 610 bytes | jgrubb |
Comments
Comment #2
jgrubb CreditAttribution: jgrubb commentedWould it be possible to get some screenshots of this bug in action? I'm not able to reproduce, but something about iframes and CKEditor makes this seem like an issue that could happen.
Also, what version of CKEditor are you using?
Comment #3
Marko B CreditAttribution: Marko B commented7.x-1.16 CK editor
I removed it so I don't have screenshots. But what happens is this. Imagine you copy MemCache stats info to a textfield and save, that is it.
Comment #4
jgrubb CreditAttribution: jgrubb commentedOk, I'm getting it too. Here's what's happening - CKEditor makes an ajax call to an endpoint - /ckeditor/xss - for each field that it handles in the node edit form. That endpoint accepts what is in the form field as well as an XSS token and returns a response which is basically the same HTML. If Memcache stats is turned on and accessible by the current user, it also appends the statistics to the response which is what makes it show up in the CKEditor screen.
I think this is actually a bug between these two modules, not necessarily just one or the other. Did you file an issue on the CKEditor issue about this as well? I think the fix might be in there instead of in this module. I'm going to keep digging on this, because what I'm supposed to be working on right now is no fun...
Comment #5
jgrubb CreditAttribution: jgrubb commentedFor some reason CKEditor doesn't have a content-type header at the moment that the XSS callback passes through memcache_admin_shutdown(), so it misses the check that would otherwise prevent this bug.
Not 100% sure why that is, nor that this is the exactly right way to fix it. It works though, so I'd appreciate some feedback from someone.
Comment #6
jgrubb CreditAttribution: jgrubb commentedComment #7
jgrubb CreditAttribution: jgrubb commentedHi, my boss just caught this bug out in production on one of our sites. Any chance of getting this reviewed and/or rolled in?
Comment #9
Jeremy CreditAttribution: Jeremy at Tag1 Consulting commentedI'm unable to duplicate, but it doesn't seem to cause any regressions either. Moved into an else, committed.