The specification for hook_filter() provides for filters to define a 'prepare' procedure as well as 'process'. That way they can get the text ready and can escape some things important to them so that other filters which come first do not destroy them.

In the function check_markup(), we see that hook_filter() is invoked with $op='prepare' before being invoked again with $op='process':

    // Give filters the chance to escape HTML-like data such as code or formulas.
    foreach ($filters as $filter) {
      $text = module_invoke($filter->module, 'filter', 'prepare', $filter->delta, $format, $text, $cache_id);

    // Perform filtering.
    foreach ($filters as $filter) {
      $text = module_invoke($filter->module, 'filter', 'process', $filter->delta, $format, $text, $cache_id);

taken from filter.module, function check_markup()

So when CKEditor applies the security filters it should do the same. At the moment it does just this:

      $text = module_invoke($module, 'filter', 'process', $delta, $format, $text);

taken from, function ckeditor_filter_xss()

This prevents some filters from working as they were designed to do.

Shall I roll a patch?

#1 ckeditor-1278062.patch1.65 KBmartin_q
Members fund testing for the Drupal project. Drupal Association Learn more


martin_q’s picture

Status: Active » Needs review
1.65 KB

I went ahead and rolled a patch.

Fabianx’s picture

Patch looks fine.

I had another problem here before, which I moved to a seperate issue.

Best Wishes,


mkesicki’s picture

@Fabianx thx for notice this and patch review.
@martin_q thx for patch.
We will check this patch.
After check patch looks fine. One more time thx.

martin_q’s picture

Who can we get to review and provide a third opinion?

duozersk’s picture

This patch looks fine to me. Not that I had some issues with security filters working wrong way, but doing it the way the core does it should be the right way to go.

martin_q’s picture

@duozersk Thanks!

@michal_cksource There's your third. What happens now?

mkesicki’s picture

Status: Needs review » Reviewed & tested by the community

We will add this patch to future versions.

dczepierga’s picture

Title: CKEditor fails to allow security filters to run their 'prepare' code before 'process' » [D6] Allow security filters to run their 'prepare' code before 'process'
Status: Reviewed & tested by the community » Fixed

Ok i review this patch and rewrite this, because we doesn't need to rewrite hole loop there and add new one.
All changes i commit to GIT, pls check last DEV does it works as u expect.


dczepierga’s picture

Status: Fixed » Needs work

Sry, I make a little mistake, i need add some more changes...

dczepierga’s picture

Status: Needs work » Fixed

Ok i add new changes.

Pls check now last DEV version.


mkesicki’s picture

Status: Fixed » Closed (fixed)
mkesicki’s picture

Issue summary: View changes

Added spacing and indicated source files for the two code snippets.