While debugging issues with ckeditor failing in Chrome and Safari, I noticed that in current dev version here are two 'exit' commands in the function which carries out filtering. In ckeditor_filter_xss() in ckeditor/includes/ckeditor.page.inc this results in Drupal silently disconnecting when certain cross site requests are made and occasionally leaving browser requests in pending state.

I think it would be worth doing two things - adding debugging code, and outputting a content length 0 header.

This could even include an HTTP 204 header.

header('Content-Length: 0',true);

Would it also be possible to consider adding some form of error logging such drupal watchdog() it would make debugging these issues more straightforward. Watchdog may be preferred in this case as php error_log might cause error message to appear in text of output depending on php ini settings.

In file includes/ckeditor.page.inc- just prior to exit commands add an appropriate watchdog logging command:

watchdog('ckeditor', 'CKeditor xss post paramters not set', array(), WATCHDOG_NOTICE);
watchdog('ckeditor', 'CKeditor xss unable to load format', array(), WATCHDOG_ERROR);

and at end of code where $text is returned:

if (strlen($text) == 0) {
watchdog('ckeditor', 'CKeditor xss returning zero length string', array(), WATCHDOG_NOTICE);
header('Content-Length: 0',true);

This might avoid situations where an xss request made by the browser is left in a pending state because the parameters passed are incorrect or are out of date such as a cached page reloading.

Will attach patch for HEAD.

Members fund testing for the Drupal project. Drupal Association Learn more


seanfarrell’s picture

Patch created for 7.x.1.x dev version including content-length zero header and watchdog commands to assist debugging.