Opened 14 years ago

Closed 14 years ago

Last modified 14 years ago

#5056 closed Bug (invalid)

Protected Tags

Reported by: Shaun Owned by:
Priority: Normal Milestone:
Component: Core : Output Data Version: 3.1
Keywords: Cc:


Reading from this page,

If I understand correctly, you must have

config.protectedSource.push( /<\?[\s\S]*?\?>/g ); // Allows PHP Code

in your config to be able to use PHP code within the editor.

However, if I load the editor, switch to Source mode, type some simple PHP:

<?php echo 'Whatever I want.'; ?>

and submit, CKEditor does not entitize or remove the PHP code and it goes through unscathed.

This means I have to manually check for PHP code upon submission.

Correct me if I'm wrong, but I believe that is a bug.

Change History (3)

comment:1 Changed 14 years ago by Shaun

Forgot to add, although I believe its implied, that I do NOT have

config.protectedSource.push( /<\?[\s\S]*?\?>/g ); // Allows PHP Code

enabled in my config.

comment:2 Changed 14 years ago by Alfonso Martínez de Lizarrondo

Priority: HighNormal
Resolution: invalid
Status: newclosed

protectedSource is meant to be used to handle data that otherwise would be destroyed by the editing system or the browser. It is not any kind of clean up or sanitizing system, you must do it yourself at the server.

comment:3 Changed 14 years ago by Shaun

Thanks for the explanation.

Perhaps that should be clarified in the API docs.

Note: See TracTickets for help on using tickets.
© 2003 – 2022, CKSource sp. z o.o. sp.k. All rights reserved. | Terms of use | Privacy policy