Opened 3 years ago

Last modified 3 years ago

#14648 confirmed Bug

config.allowedContent doesn't work when BBCode plugin active

Reported by: Alan Howshall Owned by:
Priority: Normal Milestone:
Component: General Version: 4.5.9
Keywords: Cc:

Description (last modified by Marek Lewandowski)

Steps to reproduce

  1. Download the following CKBuilder package which is my desired minimal editor inc BBCode plugin.
  2. Add config.allowedContent = 'strong em ul li;'; into default downloaded config.js
  3. Paste Strikethrough or other hidden button formatted content, like Superscript, from MS Word or similar.

Expected result

With added config.allowedContent = 'strong em ul li;'; formating like Strikethrough, Superscript etc should be auto removed on paste as they do not match 4x specified allowedContent tags.

Actual result

Not allowedContent included tags are allowed through on paste and shown visually in CKEditor window.

However if you add additional config.removePlugins = 'bbcode'; to temporarily disable BBCode then config.allowedContent is working properly as expected with no other changes.

So it appears to be the addition of (needed) BBCode plugin that is stopping config.allowedContent working correctly.

Other details (browser, OS, CKEditor version, installed plugins)

Issue replicated on CKEditor 4.5.9 on Windows 8.1 in Firefox 46 and Chrome 50

Paste of CKBuilder is:

 * @license Copyright (c) 2003-2016, CKSource - Frederico Knabben. All rights reserved.
 * For licensing, see or

 * This file was added automatically by CKEditor builder.
 * You may re-use it at any time to build CKEditor again.
 * If you would like to build CKEditor online again
 * (for example to upgrade), visit one the following links:
 * (1)
 *     Visit online builder to build CKEditor from scratch.
 * (2)
 *     Visit online builder to build CKEditor, starting with the same setup as before.
 * (3)
 *     Straight download link to the latest version of CKEditor (Optimized) with the same setup as before.
 * NOTE:
 *    This file is not used by CKEditor, you may remove it.
 *    Changing this file will not change your CKEditor configuration.

	skin: 'bootstrapck',
	preset: 'basic',
	ignore: [
	plugins : {
		'basicstyles' : 1,
		'bbcode' : 1,
		'clipboard' : 1,
		'enterkey' : 1,
		'entities' : 1,
		'indentlist' : 1,
		'list' : 1,
		'pastefromword' : 1,
		'pastetext' : 1,
		'removeformat' : 1,
		'sourcearea' : 1,
		'toolbar' : 1,
		'undo' : 1,
		'wysiwygarea' : 1
	languages : {
		'en' : 1

Change History (5)

comment:1 Changed 3 years ago by Marek Lewandowski

Status: newconfirmed

In fact it does look like filter is purposely disabled in BBCode plugin. TBH I have no idea what's the reason for it so it should be investigated deeper.

comment:2 Changed 3 years ago by Marek Lewandowski

Description: modified (diff)

comment:3 Changed 3 years ago by Alan Howshall

Thank you for initial review and confirmation of this bug.

If you can let me know when you've been able to have a deeper look at this and any ideas of timescales for a fix, or worst case approved workaround, that would be gratefully received.

Many thanks, Alan

comment:4 Changed 3 years ago by Jakub Ś

This needs further research but it is possible that ACF was disabled for BBCode because it works quite different from standard HTML. If it turns out this is the case, nothing will be done with that ticket. This however needs research.

when you've been able to have a deeper look

At the moment there are no plans to immediately look into this ticket. I'm sorry.

NOTE: If you want to have this issue fixed on demand, you can contact our sales team and ask about SLA for that specific issue.

comment:5 Changed 3 years ago by Alan Howshall

Thank you for your honest reply on timescales, appreciate you keeping this ticket open to be on your potential backlog. Will highlight to the customer that if they want a higher prioritisation then they may need to consider SLA route.

Meantime for any others that come across this bug ticket we are currently testing a less elegant custom JavaScript RegEx replace that blacklists and replaces (rather than preferred official config.allowedContent whitelist)

The code we're currently testing and have applied within config.js to hopefully workaround this issue at the moment is:

CKEDITOR.on('instanceReady', function(e) {
	var editor = e.editor;								  
	editor.on( 'paste', function(args) 
		{ ="[^\"]*"/gi, '').replace(/<ol/gi, '<ul').replace(/<\/ol>/gi, '</ul>').replace(/<u>/gi, '').replace(/<\/u>/gi, '').replace(/<s>/gi, '').replace(/<\/s>/gi, '').replace(/<a[^>]*>/gi, '').replace(/<\/a>/gi, '').replace(/<sub>/gi, '').replace(/<\/sub>/gi, '').replace(/<sup>/gi, '').replace(/<\/sup>/gi, '');

Note: See TracTickets for help on using tickets.
© 2003 – 2019 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy