Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I tested the http:BL plugin by editing the statements in function httpbl_check() to simulate a greylist and blacklist IP. The generated messages did not showed the replacements for %ipurl and %whitelisturl but resolved to /%25ipurl and /httpbl/%25writelisturl. Switching to source editing of the messages in http:BL 'Advanced' settings did not resolve the problem.
I fixed the problem by excluding admin/settings/httpbl.edit-httpbl-message-* in the CKeditor Global Profile. The % symbols had already been replaced with %25 - I edited the message to restore the 'bare' %.
Comments
Comment #1
nhoeller CreditAttribution: nhoeller commentedSee http://drupal.org/node/1877574#comment-6990138 for further problem determination. It appears that HTML Purifier (included in the default input filter) is replacing any % inside a link reference with %25. I can get around this issue by switching to an input filter that does not include HTML Purifier. Excluding the httpbl configuration field from being processed by CKEDitor seems to be the best option.
Comment #2
bryrock CreditAttribution: bryrock commentedAre you requesting documentation or volunteering documentation? Not clear on the objective of this issue.
Comment #3
nhoeller CreditAttribution: nhoeller commented@bryrock, I ran into a problem, identified a bypass and posted it here for others who might run into the same issue. Given that this is a problem involving the interaction of three modules, I am not sure what the 'Drupal way' would be. I have seen cases where it seemed that the module install process added a CKEditor exclusion for configuration fields.
Comment #4
bryrock CreditAttribution: bryrock as a volunteer commented