Problem/Motivation

If a site has a custom, non-HTML5 tag (<foo>) which is listed in the "Source editing" plugin settings, and the site is also using the filter "Limit allowed HTML tags and correct faulty HTML", the custom tag should be allowed and not filtered out. Tags in "Source editing" and "Allowed HTML tags" should be exempt being filtered out, should override the filter for faulty HTML. Without this, the only way to allow such a custom tag is to disable the filter, which disables the security protections the filter was created for.

This issue is spun off as a child issue from this issue: "[upstream] Consider allowing styles for non-HTML5 tags (3280124)".
In the discussion of that parent issue two separate concerns were surfaced.
"Allowing styles for non-HTML5 tags"
and
"CKEditor5 retaining non-HTML5 tags that are entered in the Allowed Tags.
This child issue is to track this separate issue of CKEditor5 retaining non-HTML5 tags.

Steps to reproduce

1. Create a text format using CKEditor 5
2. Check the filter "Limit allowed HTML tags and correct faulty HTML"
3. In "Source editing" enter <foo>
4. Note that <foo> is in the "Allowed HTML tags" list, and save
6. Create/edit content using this text filter
7. Click "Source" and add <foo>Some text</foo>
8. Click "Source"
9. Click "Source" again and note that "<foo>" and "</foo>" are not there, have been filtered out
10. In the text format, uncheck "Limit allowed HTML tags and correct faulty HTML" and try again, the foo tags are not filtered out

alternatively, just import this config:

filter_format
uuid: 60354272-bfdd-4874-823c-cf091c4c7afd
langcode: en
status: true
dependencies:
  module:
    - editor
name: 'Custom tag'
format: custom_tag
weight: 0
filters: []
editor
uuid: a637a488-7099-4104-9403-5ddf63c92fc2
langcode: en
status: true
dependencies:
  config:
    - filter.format.custom_tag
  module:
    - ckeditor5
format: custom_tag
editor: ckeditor5
settings:
  toolbar:
    items:
      - sourceEditing
  plugins:
    ckeditor5_sourceEditing:
      allowed_tags:
        - '<foo>'
image_upload:
  status: false

Note that in this text format's CKEditor 5 instance, you can create a <foo> tag. Now just enable filter_html on the text format and observe how suddenly you no longer can!

Proposed resolution

Rewrite the module code to compare the HTML restrictions result with the content of "Allowed HTML tags", and add any valid tags from "Allowed HTML tags" that are missing (the custom tags added by the developer) to the array to be used for filtering.

Wait for https://github.com/ckeditor/ckeditor5/issues/13343 to be fixed & shipped in a release.

Remaining tasks

Once this child issue is resolved, please consider allowing non-HTML5 Styles (in the Styles drop-down).

User interface changes

API changes

Data model changes

Release notes snippet

Comments

will_frank created an issue. See original summary.

will_frank’s picture

will_frank commented

Original discussion of the issue of CKEditor5 *not* retaining non-HTML5 tags began
in this parent issue:
https://www.drupal.org/project/drupal/issues/3280124
and we have created this separate child issue to track this.

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Title: CKEditor5 Custom, non-HTML5 tags are still *not* retained now » CKEditor 5 Custom, non-HTML5 tags are still *not* retained now
Issue tags: +Needs tests, +JavaScript
Related issues: +#3268306: [GHS] Custom/unofficial HTML tags not retained: <drupal-media>, <drupal-entity>, <foobar>

🤯

Reproduced.

Despite #3268306: [GHS] Custom/unofficial HTML tags not retained: <drupal-media>, <drupal-entity>, <foobar> having fixed this. Requires deeper investigation. I'm baffled.

It seems that #3268306: [GHS] Custom/unofficial HTML tags not retained: <drupal-media>, <drupal-entity>, <foobar> only fixed it when filter_html is disabled?! 😱

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Title: CKEditor 5 Custom, non-HTML5 tags are still *not* retained now » CKEditor 5 does not retain custom tags when filter_html is enabled
wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Category: Feature request » Bug report
Priority: Normal » Critical
Issue tags: +data loss
wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Title: CKEditor 5 does not retain custom tags when filter_html is enabled » [upstream] CKEditor 5 does not retain custom HTML tags that are not defined by CKEditor 5 plugins whenever /.*/ is not allowed (e.g. when filter_html is enabled)
Assigned: Unassigned » wim leers
Issue summary: View changes
Issue tags: +Regression

Confirmed. This is a bug in GHS.

It boils down to a small difference in the GHS configuration that should not make a difference:

drupalSettings.editor.formats.custom_tag.editorSettings.config without filter_html
{
    "htmlSupport": {
        "allow": [
            {
                "name": {
                    "regexp": {
                        "pattern": "/.*/"
                    }
                },
                "attributes": true,
                "classes": true,
                "styles": true
            },
            {
                "name": "foo"
            }
        ]
    }
}
drupalSettings.editor.formats.custom_tag.editorSettings.config WITH filter_html
{
    "htmlSupport": {
        "allow": [
            {
                "name": {
                    "regexp": {
                        "pattern": "/^(br|p|foo)$/"
                    }
                },
                "attributes": [
                    {
                        "key": "dir",
                        "value": {
                            "regexp": {
                                "pattern": "/^(ltr|rtl)$/"
                            }
                        }
                    }
                ]
            },
            {
                "name": {
                    "regexp": {
                        "pattern": "/^(br|p|foo)$/"
                    }
                },
                "attributes": "lang"
            },
            {
                "name": "foo"
            }
        ]
    }
}

That should still work. But the additions that \Drupal\ckeditor5\Plugin\CKEditor5Plugin\GlobalAttribute makes to the htmlSupport (aka GHS) configuration somehow break it.

(Note that var pluginConfig = processConfig(config); in core/modules/ckeditor5/js/ckeditor5.js converts the regexp.pattern pieces in that JSON to actual RegExp objects — PHP's json_encode() just cannot generate that.)

I modified it to the more minimal:

pluginConfig.htmlSupport.allow = [
    {name: 'foo'},
    {name: /^(br|p|foo)$/, attributes: [{key: 'dir', value: /^(ltr|rtl)$/}]}
];

and it still happens. Per https://ckeditor.com/docs/ckeditor5/latest/features/general-html-support..., this definitely should work. But not even this works:

pluginConfig.htmlSupport.allow = [
    {name: 'foo'},
];

It looks like that it has to contain /.*/ for any custom HTML tag to work:

htmlSupport.allow =  [
    {name: 'foo'},
    {name: /.*/}
];

#3268306: [GHS] Custom/unofficial HTML tags not retained: <drupal-media>, <drupal-entity>, <foobar>'s test coverage was not strict enough. It only tested if custom HTML tags are supported when there are no HTML restrictions. Note that custom HTML tags that are defined by a plugin, such as <drupal-media>, do work, otherwise we'd have known about it months ago.

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Assigned: wim leers » Unassigned
Issue summary: View changes
Status: Active » Postponed

Reported upstream: https://github.com/ckeditor/ckeditor5/issues/13343

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Issue tags: +Needs upstream bugfix
fl-49’s picture

fl-49 commented
Issue tags: -JavaScript +JavaScript

I offer one solution:

We were able to solve this by creating a custom CKE5 plugin in a Drupal custom module. The plugin registers the new model element, creates the conversions for the custom html tag for the view, creates the command to apply it, and assigns it to a button in the editor toolbar. It took a learning curve through CKE5 documentation (https://ckeditor.com/docs/ckeditor5/latest/api/index.html), but the positive of that is our new clarity on CKE5 conception and architecture.

Creating this plugin registered the custom element and the custom html tag. It is now in the "Allowed HTML tags list" and is no longer filtered out.

Thank you Wim Leers, Lauriii, and all for the cool work on the integration!

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented

👍👍 Yep, that's indeed the recommended work-around!

fl-49’s picture

fl-49 commented

Just to clarify, we used the tools and plugin template in this Drupal module to get started:
https://www.drupal.org/project/ckeditor5_dev

jonathan_hunt’s picture

jonathan_hunt commented

@fl-49 Are you able to share more details of your solution? I have ckeditor5_dev set up as a starting point to generate a new module and plugin but it would be great to see how you approached it.

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Title: [upstream] CKEditor 5 does not retain custom HTML tags that are not defined by CKEditor 5 plugins whenever /.*/ is not allowed (e.g. when filter_html is enabled) » [upstream] [GHS] CKEditor 5 does not retain custom HTML tags that are not defined by CKEditor 5 plugins whenever /.*/ is not allowed (e.g. when filter_html is enabled)
Version: 9.5.x-dev » 11.x-dev

Please vote with a 👍 there if you want to see it solved sooner.

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.