I tested the http:BL plugin by editing the statements in function httpbl_check() to simulate a greylist and blacklist IP. The generated messages did not showed the replacements for %ipurl and %whitelisturl but resolved to /%25ipurl and /httpbl/%25writelisturl. Switching to source editing of the messages in http:BL 'Advanced' settings did not resolve the problem.

I fixed the problem by excluding admin/settings/httpbl.edit-httpbl-message-* in the CKeditor Global Profile. CKeditor had already replaced the % symbols with %25 - I edit the message to restore the 'bare' %.


Michael-IDA’s picture

Project: http:BL » CKEditor - WYSIWYG HTML editor
Version: 6.x-2.0-rc2 » 6.x-1.x-dev
Component: Documentation » Code
Category: support » bug

This is a CKeditor problem????

Throw it back, with a reason why, if you don't feel so.


mkesicki’s picture

Status: Active » Postponed (maintainer needs more info)

please write steps to reproduce your issue. CKEditor should not change % to %25.
You can check this on http://ckeditor.com/demo.
Please check what filters do you use in input format on nodes where you have problems. Please check if %25 shows in CKEditor source code before node save or after saving it.

nhoeller’s picture

@Sam-Inet, my mistake - I intended to post this to the http:bl forum but clearly had a 'brain-check'.

@michal_cksource, good point about other filters - I am running HTMLPurifier which could very well be 'escaping' certain characters in the URL. Too many 'moving parts' (:-). I am in the midst of a bunch of Durpal module upgrades and will confirm after that.

Michael-IDA’s picture

Hi Norbert (@nhoeller),

No I moved it from http:BL to CKEditor, as it didn't seem possible for http:BL to cause this kind of problem.

And based upon what michal (@michal_cksource) is saying it probably needs to be moved to HTMLPurifier (or at least somewhere other than CKEditor).

Best All,

mkesicki’s picture

Status: Postponed (maintainer needs more info) » Closed (works as designed)
nhoeller’s picture

The 'problem' appears to be HTML Purifier. My default input filter includes HTML Purifier. I also have a Full HTML filter that does not include HTML Purifier. I created a page, enabled Full HTML, switched to plain text editing and entered This is %outside of a link. This is <a href="%inside">inside a link</a>. After saving, re-editing and displaying the source, the only changes are the paragraph tags around the text.

However, if I enable the default input format that includes HTML Purifier and repeat the steps, the source displays as <p>This is %outside of a link. This is <a href="%25inside">inside a link</a></p>. Note that only the % within the link reference was modified. I suspect that HTML Purifier is 'working as designed' to prevent malicious content appearing in a link reference.