I have couple of content types using CKEditor on body field. The problem is in one of them. While adding content type post everything works as it should and the CKEditor appears normally. Unfortunately after adding when I enter node edit form there's body field without the CKEditor though the filter, permissions and all configuration is set correctly. This is not happening in other content types and there are no js errors in the console which I expected at first.
Caches cleared multiple times. Drupal version is 7.22.

Did anyone had an issue like this?

Members fund testing for the Drupal project. Drupal Association Learn more


philipz’s picture

I've found out that there is something strange happening. There's a request being made to /ckeditor/xss that is returning "-1011" response code. This is happening at load and when I'm switching Full / Filtered HTML.

philipz’s picture

Title: CKEditor does not appear in edit mode for one content type » CKEditor does not appear due to ckeditor/xss empty response

EDIT: Changing title after some debugging.

This must be related to xss filtering somehow. I've done dpm to $text output in the ckeditor_filter_xss() function and it should work fine. The text shows up correctly in dpm() but not in XHR request send to ckeditor/xss witch is empty (saying only Code -1011).

I've also added config.allowedContent = true; to advanced settings but this did not help.

philipz’s picture

Now I've found a situation where one node has a body with summary both filled. The summary textarea does not have ckeditor applied and the body has ckeditor applied normally. There are two calls to ckeditor/xss - one returned with status 200 for the body and one empty for the summary.
The summary has no html in it - just plain text.

jcisio’s picture

Could you post the header and payload of the request with empty response? Can you reproduce in another website? Which filters are being used?

philipz’s picture

Yes, I tested it in Firefox and Safari. This is not something I've been able to reproduce anywhere else unfortunately.
The only used filter is changing new lines to <br> and <p> tags.

Here's the request data from Safari. There are no response header or response data.

Request Data

text	Podsumowanie pierwszych trzech miesięcy wyprawy HTC Author American Expedition 2013
input_format	full_html
token	kvDnFxhqfmf0jZktksmJIUHIAl1IRMpCTmliN7ceZo0

Request Headers

Accept	*/*
Referer	http://author.pl/node/4321/edit
Origin	http://author.pl
X-Requested-With	XMLHttpRequest
User-Agent	Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.59 (KHTML, like Gecko) Version/6.1 Safari/537.59
Content-Type	application/x-www-form-urlencoded

Funny thing in Firefox the response is "301 Moved Permanently" and I can see response header witch contains "Location" (but different than my site domain). The request's that are not failing do not have this location at all.

Cache-Control	no-cache, must-revalidate, post-check=0, pre-check=0
Content-Encoding	gzip
Content-Language	pl
Content-Length	103
Content-Type	text/html; charset=utf-8
Date	Tue, 27 Aug 2013 14:06:43 GMT
Etag	"1377612403"
Expires	Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified	Tue, 27 Aug 2013 14:06:43 +0000
Location	http://blogrowerowy.pl
Server	Apache/2.2.22 (Ubuntu)
Vary	Accept-Encoding
X-Powered-By	PHP/5.3.10-1ubuntu3.4
philipz’s picture

After some more debugging and testing in Firebug I'm sure the ckeditor_filter_xss is not the problem here. The function returns the XHR request or at least is trying to as it should. This might be not CKEditor module bug but some other problem related to Drupal core or server configuration.

One thing is sure for me here is that the requests that are working fine do not have "location" in response headers and the ones failing do have one and it's different than my Drupal webpage. The location domian in failing requests is my other website on the same server but running on Wordpress. This is very strange.

joessoft’s picture

Just came to see if I were alone on the following... not glad I am not alone.. yet, misery does
love company.. (evil grin)

page not found 10/13/2013 - 10:43 ckeditor/xss admin
page not found 10/13/2013 - 10:43 ckeditor/xss admin
page not found 10/13/2013 - 10:43 ckeditor/xss admin
page not found 10/13/2013 - 10:42 ckeditor/xss admin

same bug I guess as the WYSIWYG ed is present initially... but on revision.. forgetaboutit.. no ed and will not save the
changes. It also appears to be looking where CKED isn't living:

Type page not found
Date Sunday, October 13, 2013 - 10:43
User admin
Location http://mydomain.com/ckeditor/xss <------ wrong -----<<<-( actual sites/all/moduals/ckeditor )
Referrer http://mydomain.com/xxxxxx/x/edit
Message ckeditor/xss
Severity warning

If at first you don't succeed.. other than informing others, don't whine, HACK!


Joe - over 66 and still having fun on the web playing in the cyber sandbox.

jcisio’s picture

#7 The path is correct, ckeditor/xss is a path defined in ckeditor_menu(), not a static file.

philipz’s picture

What I ended up doing was disabling ajax call for xss filters in includes/ckeditor.utils.js on line 163. This is my temporary solution to the problem:

if (false && run_filter && ($("#" + textarea_id).val().length > 0) && typeof(ckeditor_obj.input_formats[ckeditor_obj.elements[textarea_id]]) != 'undefined' && ((ckeditor_obj.input_formats[ckeditor_obj.elements[textarea_id]]['ss'] == 1 && typeof(Drupal.settings.ckeditor.autostart) != 'undefined' && typeof(Drupal.settings.ckeditor.autostart[textarea_id]) != 'undefined') || ckeditor_obj.input_formats[ckeditor_obj.elements[textarea_id]]['ss'] == 2)) {

Shane Birley’s picture

Issue summary: View changes

I have a question about what sort of caching schemes are being used. I have been running across this issue but it is normally due to cache tables not being cleared and the XSS failing.

When I have experienced this problem, I have been installing Expire module (2.x branch) and it resolves the issue as I can force the cache to be cleared for the nodes being created or being updated.

Just my two cents...

bdimaggio’s picture

#9 worked for me, in a pinch.

shi99’s picture

#9 solved my issue, even if it's not ideal. Thanks

My issue is slightly different that when I switch from plain text to Full HTML the WYSIWYG would actually load one of the pages on my site into the WYSIWYG. Very odd since I'm not sure why it would call that page.

Anyway disabling the ajax call mentioned in #9 is a temp fix for me now.

Thanks for your help. If I find out any other info I will add it to this issue.

shi99’s picture

I think the latest version of CKEditor (7.x-1.16) fixes this issue. I have updated my CKEditor and do not need to use the fix mentioned in #9 anymore.

It would be good to confirm if it fixed it for anybody else.

fgjohnson’s picture

I resolved this using the following.
Initially the Default and Alternate jQuery settings were @ 1.10.
CKEditor didn't work in Full or Filtered.

Drupal 7.32
Bootstrap 7.x-3.0
CKEditor Module 7.x-1.16 - No special settings
jQuery update Module = 7.x-2.4
- Set Default jQuery version = 1.8
- Alternate jQuery version = 1.8
- jQuery and jQuery UI CDN = jQuery, Google or MS

Dropping to 1.8 was the trick.
shrug... I don't know where to find the version I've got installed. :-)

Granitize me!

hanspln’s picture

#14 worked for me, "Dropping to 1.8 was the trick"

Paulraj Augustin’s picture

#14 Is not working for me.
Checking my console I got the error as

POST http://www.example.com/ckeditor/xss 500 (Internal Server Error) jquery-1.8.2.min.js:2

#9 solved my issue, but it is a temp fix.

I found that the problem unique to a content (node), for all other content the editor looks fine.

stewest’s picture

I also have this issue still with CkEditor 7.1.16 and jQuery Update set to 1.8. (I've tried all versions from 1.5 up). Drupal 7.32

#9 does solve my issue to a degree - CkEditor shows in Full HTML as assigned. It seems however that no matter whether I disable ACF or not, ACF also still removes all my html tags, but this is another issue.

Will #9 be rolled into next release?

andykisaragi’s picture

I have the same problem as #16 - 500 error.

In my case though it's due to a memory leak which I haven't tracked down yet - Apache error log is full of memory limit errors.

Can confirm that #9 gets around it for now.

#17, no it shouldn't be rolled into the release! it's not a fix, just a hacky workaround (one which I'm thankful for!)

markbannister’s picture

I had issues with filtered not showing the editor.
Just installing jquery_update 7.x-2.4 fixed this for me.
I can set jquery to 1.8, 1.9 or 1.10 all they all work

Fiselier’s picture

In my setup I experience trouble: some pages show the ckeditor, some don't. When changing the theme during the editing of a non-functioning page, the ckeditor reappears, the next time it's gone again. (no matter what theme I use). Within PhPAdmin I cannot find any differences between the pages.
Any help?

andykisaragi’s picture

Fiselier, any js errors in your console on the non-ckeditor pages?

75th Trombone’s picture

I was getting 500 errors from one field in a field collection on one node. I figured out that the error would only show up when this consecutive string of text from that node was in the field:

selective coating that absorbs solar energy well but inhibits radiative heat loss. The air is withdrawn ("evacuated") from

Do you see the problem?

SELECTive coating that absorbs solar energy well but inhibits radiative heat loss. The air is withdrawn ("evacuated") FROM

Clearly, something is seeing that embedded in my paragraphs of information on solar energy, identifying it as a SQL injection attempt, and doing something stupid. That string produces the problem in any CKEditor field on my site.

Once I figure out the exact problem, I'll probably be raising this with the actual CKEditor people.

75th Trombone’s picture

Ends up this was mod_security messing things up. It was set to exclude other Drupal paths but not ckeditor/xss. Not sure if is my case is applicable to anything above; sorry.

ajitsandip’s picture

here are no editor libraries installed currently. The following list contains a list of currently supported editors:
CKEditor (Download) Not installed.
The version of CKEditor could not be detected.

Extract the archive and copy its contents into a new folder in the following location:

So the actual library can be found at:

Do NOT download the "CKEditor for Drupal" edition.this error occure

jomarocas’s picture

#9 working for me, is a bug

Prizem’s picture

Also just ran into this issue. My console is reporting POST https://mywebsite.com/ckeditor/xss 500 Internal Server Error. Any resolution yet? #9's temp fix (adding false to the beginning of that if statement) works for me, but a more permanent resolution would be preferable.

andykisaragi’s picture

Prizem, I found that my 500 error was caused by a memory leak which was totally unrelated to CKEditor (in my case, I had temporarily set all user's emails on a dev site to test@test.com or similar, so whenever Drupal tried to load a user by email address it was loading all users, which was a few hundred thousand on the site I was working on) - it might well be that this is not a CKEditor bug but just an indication of a bug somewhere else on your site.

sosguthorpe’s picture

Recently had this issue. The problem only occurred for me when a page had multiple CKEditor instances on it (i.e. more than one text area). Those of you getting blank responses from the XSS post that had upgraded jQuery, this patch might help you to solve your issue without having to downgrade jQuery.

jenlampton’s picture

The solution in #2335105: Blank fields after updating jQuery didn't work for me since I am using a newer version of the ckeditor module (1.x-dev) but the hack in #9 did. Since I can't see a more elegant way of getting around this currently I've rolled this into a patch incase others need the same fix.

Again, this is not for review/inclusion but just for the convenience of others suffering from the same Server 500 error.

svn7svn’s picture

I'm currently experiencing the same issue on my blog content type.

I have Drupal 7.38 installed with all projects up to date as of this post.

Used to work fine.

Console shows a 522 error on the following .js file


tholin’s picture

#14 worked for me. Thank you philipz for great initial explanation!

tchopshop’s picture

I'm having this problem too. Very annoying. Patch from #29 worked for me.

ingestebanbarrios’s picture

#9 solved my problem, Thank you

Eluchel’s picture

#29 patch fixed my problem, does anyone know the root problem though? so we can get a real patch made and committed?

BBC’s picture

#29 worked for me as well. In my case, the issue was really intermittent. Some pages worked fine consistently, others did not and still others allowed one edit, then the fields with CKEditor enabled came up blank on subsequent edits.

Thanks for the fix!

sergey-shulipa’s picture

#29 works for me too. In my case, ckeditor didn't appear only for announces. After applying the patch it work's correctly. Thanks a lot! I'm happy!

acrosman’s picture

I think what's happening here is that the request is actually doing it's job, but triggering an error that's not handled correctly because the POST request is make with async = False. Switching the async flag to true (false is depreciated anyway) on the request resolved the error on my project, and revealed another underlying bug (which I believe is related to custom code in my case). Patch to switch the request mode to a supported mode attached.

BBC’s picture

Ran into this one again after the latest module update. I tried the patch in #38, but didn't have any luck. Went back to #29 and all is well again.

davidneedham’s picture

I tried applying the patch in #38, but it didn't resolve the issue for me either. I went back to the patch at #29 and that did bandaid the problem for now.

infinet’s picture

I had a similar issue and the cause ended up being an incorrect .htaccess file in the site root.
I re-uploaded the default D7 .htaccess and problem solved.

andreak’s picture

Thank you so much for patch #29! I had installed the ckeditor module and pointed it at the CDN (//cdn.ckeditor.com/4.5.4/full-all). All was working well in test and development. When I moved the site to production my ckeditor randomly displayed bank fields when editing a page. It would display a blank field for certain multi-field content types and regular blocks. This was intermittent and annoying. A refresh or clicking the back button and trying to edit that content again would sort of fix it. Luckily I had workbench installed which saved us from publishing blank content. The only difference between test and production - test was using system database version 5.5.9 and prod 5.6.23 (on ubuntu). After setting up an identical test environment and poking around on the back end it seemed that the language field was undefined and trying to set it to "en" (english, use the code for your language) helped somewhat but had odd results. I'm posting this here in case there is anyone else out there with this issue, searching for a remedy. Patch 29 fixed it! Although adding the patch did disable the workbench module - now re-enabled and everything works.

JasonLee87’s picture

#9 solved my problem, Thank you a lot.

SocialNicheGuru’s picture

Status: Active » Needs review

Status: Needs review » Needs work

The last submitted patch, 38: ckeditor_async_requests_2069871-38.patch, failed testing.

The last submitted patch, 29: ckeditor_prevent-unwanted-caching_2069871-29.patch, failed testing.

pcorbett’s picture

I think @acrosman is correct in that it's more an issue with the underlying error, but regardless it would be nice to know the issue directly vs. a mysterious 500 error. In my case it was due to a New Relic request limitation. Once that was fixed, this particular issue was resolved. Have not tried the async suggestion.

jenlampton’s picture

Still using the patch in #29 on latest version, #38 didn't work for me.

synergy99’s picture

We found in our case this was being caused by a stale js cache (we use the minify module). Refreshing the stale files (admin/config/development/performance/minifyjs) restored the missing editor.

yookoala’s picture

Just check on my site (which has the same issue). Since CKEditor on my site occasionally works. I compared the difference between those that works and those doesn't.

Study of My Case

1. The pages both a POST request to the XSS path with identical data and almost identical header. Except the successful request includes "Cookie" in header and the failed header doesn't.

2. To make sure, I copied the failure POST request as CURL command, added the "Cookie" header and tried again. It works.

I'm using CKEditor module 7.x-1.17 with Drupal 7.53.


The current version (7.x-1.17) of ckeditor_filter_xss() (page callback for the ckeditor/xss path) include these lines:

function ckeditor_filter_xss() {
  header('Content-Type: text/plain; charset=utf-8');
  $GLOBALS['devel_shutdown'] = FALSE;

  if (!isset($_POST['text']) || !is_string($_POST['text']) || !isset($_POST['input_format']) || !is_string($_POST['input_format']) || !isset($_POST['token']) || !drupal_valid_token($_POST['token'], 'ckeditorAjaxCall', FALSE)) {

When the request provides no cookie (hence no PHP session), the function drupal_valid_token() (with $skip_anonymous = FALSE) evaluates FALSE. Hence the callback is exit returning empty page.

The function drupal_valid_token() depends on drupal_get_token() to return the current 'ckeditorAjaxCall' token. The function looks like this:

function drupal_get_token($value = '') {
  return drupal_hmac_base64($value, session_id() . drupal_get_private_key() . drupal_get_hash_salt());

Notice the session_id() function call. This means the token is hashed against the PHP session_id, which depends on cookies. With a different cookie, the results of drupal_get_token() will be different. Hence a token here is session specific and can only be validated against a given session.


The notion that ckeditor_filter_xss() depends on a token might expect it to be session in-specific. It is not. The solution would be either:

  1. Make sure that the POST call to ckeditor/xss bears the correct cookie; or
  2. Check token in a way independent of PHP session.
mickotia’s picture

Had an issue with the string/word "selection" in the the CKEditor text area, used #9 to fix it. Not ideal but it will help me meet my deadline. I would have been completely lost w/o this thread.

rcodina’s picture

A combination of #9 and #14 worked for me. Thanks!

SKAUGHT’s picture

just reducing jQuery update to 1.8 worked for me,