Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#10815 closed Bug (invalid)

bug with extraAllowedContent and fakedObjects placeholders

Reported by: jusca Owned by:
Priority: Normal Milestone:
Component: General Version: 4.2.1
Keywords: Cc:


I was in hope my problem in 4.1.3 would have been gone with 4.2.1, but I have to admit it is still present.

What I do:

include ckeditor with

<script language="javascript" type="text/javascript" src="/path/2/ckeditor.js"></script>

set my own config:

<script type="text/javascript">

CKEDITOR.configskin? = 'moono';

CKEDITOR.configheight? = 400;

CKEDITOR.config.allowedContent = <?php echo $acfoff; ?>;

CKEDITOR.config.extraAllowedContent('mediainsert(*)[*]{*}; script(*)[*]{*}; php'); works, see below but with error TypeError: CKEDITOR.config.extraAllowedContent is not a function and wrong toolbar, but not for <?php ?>

[disabled] CKEDITOR.config.extraAllowedContent = 'mediainsert(*)[*]{*};script(*)[*]{*};php(*)[*]{*}'; has now effect

CKEDITOR.config.protectedSource.push(/<(script)[>]*>.*<\/script>/ig); javascript code, but seems already to be the kind of default in ckeditor.js (see below)

[note] the <script> fakedObjects placeholder is shown, if commented out in ckeditor.js /<script[\s\S]*?<\/script>/gi

CKEDITOR.config.protectedSource.push( /<\?[\s\S]*?\?>/g ); PHP code

CKEDITOR.config.protectedSource.push(/<mediainsert[\s\S\t\r\n]*?\/mediainsert>/img); special CMS Plugin tag need to be untouched by ACF

CKEDITOR.config.removeButtons = 'Styles';

CKEDITOR.config.toolbarGroups = [ my special toolbar group settings ];


Further on I have an included function file, to set the right instance and plugins for the two textares on my page. There I do a:

CKEDITOR.replace('nuggets' + item, {});

CKEDITOR.config.extraPlugins = 'nuggets'+item +',mediaembed,pbckcode,script';

CKEDITOR.plugins.add('nuggets' + item, { .... some plugin creations on the fly .... }); they all work fine, except the 'script' plugin....

You can see the included 'script' plugin at last. This is mainly the same as addressed here (even if I had to change the addCss command, since this threw an error).

Now, to my problems: I want to allow javascript, php and special tags (eg. mediainsert) and have them untouched by ACF and replaced by a placeholder in wysiwyg-mode.

  1. The enabled CKEDITOR.config.extraAllowedContent(...) line rules fires "TypeError: CKEDITOR.config.extraAllowedContent is not a function" and will stop executing my toolbarGroups, but enables the <mediainsert>...</mediainsert> placeholders.
  2. The placeholder for script tags (javascript in textarea) does not happen, until I comment out the "/<script[\s\S]*?<\/script>/gi" in ckeditor.js (see disabled rule above).
  3. Real <?php ?> tags do not work at all, but <php><?php echo 'hello world'; ?></php> does work from scratch without any changes.
  4. The upper enabled CKEDITOR.config.protectedSource.push rules do their work successfully.

I tried everything I could imagine and could find in the docs, using different places or different kind of extraAllowedContent writings, but I can not get this to work!

CKEDITOR.config.extraAllowedContent seems not really to be read. Putting this into config.js file is the same.

Thanks for help and clarification!

Change History (4)

comment:1 Changed 10 years ago by jusca

Edit add:

I surely have element cases for 'script', 'php', 'mediainsert' in the script plugin afterInit section.

Last edited 10 years ago by jusca (previous) (diff)

comment:2 Changed 10 years ago by Piotrek Koszuliński

Resolution: invalid
Status: newclosed

Your code is full of JS errors. extraAllowedContent is indeed not a function, so I don't understand why do you call it as a function.

It should look like:

config.extraAllowedContent = 'mediainsert(*)[*]{*}; script(*)[*]{*}; php';

Please read!/guide/dev_advanced_content_filter

You are also incorrectly setting those config values, because you set the globals (and some of them after initializing editor... ;|) what may have unpredictable effects. Please read!/guide/dev_configuration

Please correct mistakes in your code and if you will still think that there's a bug in CKEditor, then we can reopen this ticket.

comment:3 Changed 10 years ago by jusca

Hi Reinmar

Well, this custom set with globals does and did work very well in this whole year, beside of these new testing issues with fakeObjects and placeholders. What I tried to say in my bug post, was that I even tried your suggestions in various ways before without any effects. I did know that using extraAllowedContent like () was wrong and was throwing errors. I just wanted to state, that after the error and breakage the <mediainsert> placeholder worked. Before that I had no luck with config.extraAllowedContent = 'tag1; tag2; tag3';

For the avoidance of doubt, I now removed all these custom config vars into the config.js file. I tested with an extra

/* my custom config.js additions - use here only! */
CKEDITOR.editorConfig = function( config ) {
    config.extraAllowedContent = 'mediainsert(*)[*]{*}; script(*)[*]{*}; php';

block below default. This had no effect!

If I move the issue related config rules up into the default block and in this order only (push before allow!)

    config.protectedSource.push( /<\?[\s\S]*?\?>/g );
    config.extraAllowedContent = 'mediainsert(*)[*]{*}; script(*)[*]{*}; php';

you are right, it starts working, giving me at least the <mediainsert> placeholders. The <script> tag and real <?php ?> tag replacements still don't work.

So these are two different issues, I presume.

The special tag (mediainsert) works in config default block with explicit order only! It seems, this is the place for the output (script placeholders) to work fine. For the input (save), avoiding replacements by CKEDITOR, this seems not to work in here (mediainsert blocks are touched!). Btw, it is extremely confusing, since moving around config sets in config.js, has effects on the toolbar (just as a simple example config.removeButtons adding 'Styles' to the default 3 config rule block does not work, but later on - there is more) and other config options. It reacts very sensitive, but not logical in every case.

The 'script' only works, if commenting out


in ckeditor.js.

The 'php' tag does not work, while internally rewritten to <!--?php echo 'hello world'; ?--> in ckeditor.js too, which can't be so easily disabled like the script issue. That now clears, why the faked php tags like <php><?php echo 'test'; ?></php> worked even if rewritten to <php><!--?php echo 'test'; ?--></php>.

So it seems the mists are lifting.

I do not like the idea of manipulating the ckeditor.js file for 'script' and also maybe the 'php' tags by myself, since this surely will open other doors. But I do would like to have a solid option available, to turn off default 'script' and 'php' manipulating in there, or at least have a suitable workaround for these issues.

Is that possible?

Thanks so far! I really appreciate further clarifications on these confusing issues!


comment:4 Changed 10 years ago by jusca

Could you please help me to solve my remaining questions? Or do I need to write another ticket?

I have moved all my settings into a custom config file now. But the protectedSource and extraAllowedContent rules do not work in there (in special for the mediainsert tag),

If I have them in the default config.js file, like already described, they do well (even if that is only testable with the mediainsert tag, since script and php tag are something else, see last post).

I don't really need to allow php scripting, but that mediainsert and the script allowance is quiet important to have. And I also would like to know, what kind of open doors will appear, if I have comment out the script part in ckeditor.js?

In short, the only working version is like this, in default config.js:

CKEDITOR.editorConfig = function( config ) {

... // all default delivered, then 

    // These rules do only work in here (for the output), but not for the input (linebreaks etc)
    // allow <script> tags
    config.protectedSource.push( /<(script)[^>]*>.*<\/script>/ig );
    // allow <?php ?> tags
    config.protectedSource.push( /<\?[\s\S]*?\?>/ig );
    // allow imageselectorplus mediainsert tag code
    config.protectedSource.push( /<mediainsert[\s\S]*?\/mediainsert>/img );
    // set placeholder tag cases
    config.extraAllowedContent = 'mediainsert(*)[*]{*}; script(*)[*]{*}; php';


/* my custom config.js additions - use here only! */
CKEDITOR.editorConfig = function( config ) {

...// all the rest is working working ok in here and even in a csutom file.
...// But leaving the upper and take the rest to a custom file, does not work for the upper.


Thanks for taking time on this. I really think there must be something mismatching in the core, or I definitely haven't understood all of that in detail.


Note: See TracTickets for help on using tickets.
© 2003 – 2022, CKSource sp. z o.o. sp.k. All rights reserved. | Terms of use | Privacy policy