id summary reporter owner description type status priority milestone component version resolution keywords cc
9185 Inline javascript strings containing html become corrupt on edit Paul Aumer-Ryan "Related to ticket:7243, if my editor content contains protected elements (a, area, img, or input) embedded in a javascript string, ckEditor will try to protect their attributes (href, src, name), even if their quote delimiters are escaped.
For example: ckEditor will change this:
{{{
var link = ""Google"";
}}}
to this:
{{{
var link = ""Google href=\""http://google.com\"">Google"";
}}}
Fix: the protectAttributes() parser (in htmldataprocessor/plugin.js) should ignore attributes with escaped delimiters. More specifically, line 291-292 (v3.6.4) should change from this:
{{{
var protectElementRegex = /<(a|area|img|input)\b([^>]*)>/gi,
protectAttributeRegex = /\b(on\w+|href|src|name)\s*=\s*(?:(?:""[^""]*"")|(?:'[^']*')|(?:[^ ""'>]+))/gi;
}}}
to this:
{{{
var protectElementRegex = /<(a|area|img|input)\b([^>]*)>/gi,
protectAttributeRegex = /\b(on\w+|href|src|name)\s*=\s*(?:(?:""[^""]*"")|(?:'[^']*')|(?:[^ ""'\\>]+))/gi;
}}}
(I just added an escaped backslash to that last non-capturing group in the regex.)
I have tested this change on the following permutations, and the regex still correctly captures all but the last two links (which should be ignored because they are invalid anyway):
{{{
Google
Google
Google
Google
Google
Google
}}}
Thanks guys!" Bug closed Normal Core : Parser invalid Sa'ar Zac Elias