Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#5056 closed Bug (invalid)

Protected Tags

Reported by: Shaun Owned by:
Priority: Normal Milestone:
Component: Core : Output Data Version: 3.1
Keywords: Cc:

Description

Reading from this page, http://docs.cksource.com/ckeditor_api/symbols/CKEDITOR.config.html#.protectedSource

If I understand correctly, you must have

config.protectedSource.push( /<\?[\s\S]*?\?>/g ); // Allows PHP Code

in your config to be able to use PHP code within the editor.

However, if I load the editor, switch to Source mode, type some simple PHP:

<?php echo 'Whatever I want.'; ?>

and submit, CKEditor does not entitize or remove the PHP code and it goes through unscathed.

This means I have to manually check for PHP code upon submission.

Correct me if I'm wrong, but I believe that is a bug.

Change History (3)

comment:1 Changed 8 years ago by Shaun

Forgot to add, although I believe its implied, that I do NOT have

config.protectedSource.push( /<\?[\s\S]*?\?>/g ); // Allows PHP Code

enabled in my config.

comment:2 Changed 8 years ago by Alfonso Martínez de Lizarrondo

Priority: HighNormal
Resolution: invalid
Status: newclosed

protectedSource is meant to be used to handle data that otherwise would be destroyed by the editing system or the browser. It is not any kind of clean up or sanitizing system, you must do it yourself at the server.

comment:3 Changed 8 years ago by Shaun

Thanks for the explanation.

Perhaps that should be clarified in the API docs.

Note: See TracTickets for help on using tickets.
© 2003 – 2017 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy