Problem/Motivation
(This was first reported at #2585173-23: [regression] "Allowed HTML tags" setting corrupted upon accessing Text Format configuration UI.)
Before #2549077: Allow the "Limit allowed HTML tags" filter to also restrict HTML attributes, and only allow a small whitelist of attributes by default, there was no need to whitelist attributes.
This meant that DrupalImageCaption::isEnabled()
was able to have this logic:
// Automatically enable this plugin if the text format associated with this
// text editor uses the filter_align or filter_caption filter and the
// DrupalImage button is enabled.
$format = $editor->getFilterFormat();
if ($format->filters('filter_align')->status || $format->filters('filter_caption')->status) {
$enabled = FALSE;
$settings = $editor->getSettings();
foreach ($settings['toolbar']['rows'] as $row) {
foreach ($row as $group) {
foreach ($group['items'] as $button) {
if ($button === 'DrupalImage') {
$enabled = TRUE;
}
}
}
}
return $enabled;
}
This used to be fine, but now it's problematic. Because now we need to whitelist <img data-align>
if the filter_align
filter is enabled, and similarly <img data-caption>
for filter_caption
.
The problem is that we currently only update the hidden CKEditor instance when either CKEditor buttons are added or removed, or one of the CKEditor plugin settings is modified. And we can update it by simply updating its configuration. We don't need to talk to the server.
For this to work, though, we will need to talk to the server, pass it the current set of enabled filters, and then update the hidden CKEditor instance. Because the set of enabled filters may affect the set of enabled CKEditor plugins.
Proposed resolution
Upon enabling or disabling a filter, either:
- talk to the server, pass it the current set of enabled filters, and then update the hidden CKEditor instance. Because the set of enabled filters may affect the set of enabled CKEditor plugins.
- show a message that this should first be saved
- … or something else
Remaining tasks
User interface changes
None.
API changes
None.
Data model changes
None.
Comments
Comment #15
quietone CreditAttribution: quietone at PreviousNext commentedUpdating title to remove 'whitelist'.
Comment #16
Wim LeersThanks, @quietone 👍
The good news is that this is not a problem that was repeated in
ckeditor5.module
😊So we'll be able to close this once CKEditor 4 is removed from Drupal 10 👍
Comment #17
quietone CreditAttribution: quietone at PreviousNext commentedCKEditor has been removed from core, CKEditor 4 is removed from Drupal Core in 10.0.0