id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc
13105	Rich attributes + DX WTF: CKEDITOR.tools.html(Encode|Decode)()	Wim Leers	Piotrek Koszuliński	"== Rich attributes ==

This problem was discovered by using ""rich attributes"" (IIRC that's how @Reinmar described it): CKEditor Widgets whose data is stored in `data-` attributes.

Drupal 8's `drupalimagecaption` plugin extends CKEditor 4's `image2` plugin, and instead of storing the caption in a `<figcaption>` 'tag', it stores it in a `data-caption` 'attribute'. This is where things go wrong.

Whenever the user writes plain HTML tags in the caption (i.e. in the widget's ""caption"" box enter something like `<a href=""http://drupal.org"">test</a>`), the data stored in the `data-caption` attribute is only HTML-encoded once, instead of twice, which upon upcasting then doesn't result in the entered HTML showing up, but in the 'rendered' HTML showing up.

See https://www.drupal.org/node/2460145.

I was convinced this was actually a bug on the Drupal side. So I started using `CKEDITOR.tools.html(En|De)code(Attr)()`, but… doing so uncovered a whole new problem…

== DX WTF: `CKEDITOR.tools.html(En|De)code(Attr)()` ==

Copy/pasted from the  Chrome developer console, to demonstrate a bug.

{{{
var e = CKEDITOR.tools.htmlEncode
undefined

var d = CKEDITOR.tools.htmlDecode
undefined

e('<tag>')
""&lt;tag&gt;""

e(e('<tag>'))
""&amp;lt;tag&amp;gt;""

d(e('<tag>'))
""<tag>""

d(e(e('<tag>')))
""<tag>""

d(e(e(e(e('<tag>')))))
""&amp;amp;lt;tag&amp;amp;gt;""

d(e(e(e('<tag>'))))
""&amp;lt;tag&amp;gt;""

d(e(e('<tag>')))
""<tag>""
}}}

If this is by design, the documentation should warn developers. And it should be explained '''why'''.
"	Bug	closed	Normal	CKEditor 4.5.0	General		fixed	Drupal	wim.leers@…