Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#5056 closed Bug (invalid)

Protected Tags

Reported by: simshaun Owned by:
Priority: Normal Milestone:
Component: Core : Output Data Version: 3.1
Keywords: Cc:


Reading from this page,

If I understand correctly, you must have

config.protectedSource.push( /<\?[\s\S]*?\?>/g ); // Allows PHP Code

in your config to be able to use PHP code within the editor.

However, if I load the editor, switch to Source mode, type some simple PHP:

<?php echo 'Whatever I want.'; ?>

and submit, CKEditor does not entitize or remove the PHP code and it goes through unscathed.

This means I have to manually check for PHP code upon submission.

Correct me if I'm wrong, but I believe that is a bug.

Change History (3)

comment:1 Changed 7 years ago by simshaun

Forgot to add, although I believe its implied, that I do NOT have

config.protectedSource.push( /<\?[\s\S]*?\?>/g ); // Allows PHP Code

enabled in my config.

comment:2 Changed 7 years ago by alfonsoml

  • Priority changed from High to Normal
  • Resolution set to invalid
  • Status changed from new to closed

protectedSource is meant to be used to handle data that otherwise would be destroyed by the editing system or the browser. It is not any kind of clean up or sanitizing system, you must do it yourself at the server.

comment:3 Changed 7 years ago by simshaun

Thanks for the explanation.

Perhaps that should be clarified in the API docs.

Note: See TracTickets for help on using tickets.
© 2003 – 2017 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy