Attached is a patch that hopefully makes it more clear what the security setting is and why it should be set.

security_text.patch2.93 KBSteve Dondley
Members fund testing for the Drupal project. Drupal Association Learn more


armyofda12mnkeys’s picture

Just copied and pasted into module since it was one line...

code needs a matching closing parenthesis below, otherwise code errors i beleive:
.... before outputting it to the screen.")

Looks good, maybe rephrase some of this, not sure.
...Drupal will not, however, filter data for administrator's editing a textarea ....
Administrator usu reminds me of only the super-user, maybe content-creators/editor's/fck-users?

Maybe let user know other reason FCK will ignore settings...
...Note that if a textarea's input format is set to \"Full HTML,\" FCKeditor will properly ignore the setting below...
Note that if a textarea's input format is set to \"Full HTML\" (or if the input format of the node doesnt include the filter), FCKeditor will properly ignore the setting below.

wwalc’s picture

Status: Needs review » Fixed

Thank for a patch, I have corrected it a bit following armyofda12mnkeys suggestions and committed it to CVS.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.

Gary Feldman’s picture

Status: Closed (fixed) » Active

I'm reopening this because there are two typos in it. The term content editor's appears twice, and in both cases, the apostrophe should be removed (i.e., it should be content editors).

But I found this thread while checking to make sure the typos hadn't already been reported, and I see that the wording issue had been discussed earlier. I'm still not happy with it. It should just be users instead of content editors, because Drupal doesn't have any such built-in role, and because the role isn't relevant; it applies to anybody editing text with FCkeditor. My first reading made me think that I needed different settings for content editors and ordinary users.

The real issue is that core Drupal can filter text typed by the user before it gets inserted into the database, while these setting refer to filtering text that's already in the database but before displaying it in FCKeditor. It's necessary because there are situations when it's safe to have HTML included in content if it's only going to be displayed in a plain text area, but unsafe when it's displayed by a WYSIWYG editor. I think the first two paragraphs could be replaced by something simpler that just makes the point that these filter on the way out, not the way in.


Jorrit’s picture

Status: Active » Fixed

I have changed it in 2.x-dev to

The FCKeditor security system protects you from executing malicious code that is already in your database. In plain text areas database content is harmless because it is not executed, but the FCKeditor WYSIWYG editor evaluates HTML like a web browser and content needs to be filtered before it is loaded.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.