Server Side Integration Status
You will find list of features required for all integration languages, separated in the following blocks:
- FCKeditor Creator: the API used to create FCKeditor instances and load them in a page.
- File Browser Connector and Quick Uploader: the communication system for the generic File Browser and Quick Uploader interfaces
- Other: other features related to the integration
|Instance Creator System||X||X||X||X||X||X||X||X|
Instance Creator System
A language compatible implementation to create FCKeditor instances, according to the Developer’s Guide specifications (http://wiki.fckeditor.net/Developer%27s_Guide/Participating/Server_Side_Integration#Creator). The BasePath, Width, Height, ToolbarSet and Value properties are required.
A similar implementation must be provided in a TAG based server side language.
The integration file must point, by default, to the "/fckeditor/" folder (lowercased).
The Create() function which outputs the editor HTML in the place where the function is called. It can be also replaced by a TAG based system.
The CreateHtml() function which retrieves the editor HTML so developers can use it in other ways in their code.
The integration must be "smart", depending on the specific language features. For example, with ASP.Net, setting like "CustomConfigurationsPath" can be set to something like "~/myconfig.js", where the tilde must be resolved in the server side to point to the application root.
We are aware about limitations of the current system. It is not possible to set new toolbars, ProtectedSource or any object or array based configuration. We’ll most probably be implementing a JSON compatible system soon.
The integration must provide a generic FCKeditor_IsCompatibleBrowser() function that is independent of the instance creation. In this way developers can check the FCKeditor compatibility for their own needs, without having to create an editor instance.
File Browser Connector and Quick Uploader
Note: As of version 2.5, the quick uploader will use the File Browse connector uploading features.
|Avoid paths with ".."||X||X||X||X||X|
|Check Allowed Extension||X||X||X||X||X||X|
Implementation of the connector basic commands: GetFolders, GetFoldersAndFiles, CreateFolder and FileUpload.
All connectors must be explicitly activated by the users. There are many people out there using FCKeditor that are not even aware about the existence of the connectors. If the connectors are enabled by default, hackers can use them to upload files to the server without users notice.
Many features of the connector must be configurable by the developers with easy. The PHP configuration file can be used as the base of the required configurable settings.
Check if and allowed file Type has been requested. For now, the allowed types are: File, Image, Flash and Media. If not specified, it defaults to "File". This list may be more flexible in the future.
Avoid paths with ".."
To avoid hackers accessing unauthorized path like "../../../", we must refuse any request for Folders with two points in the path.
Another security issue may be found if users upload files named like "hacked.php.txt". Connectors may check that file as a "txt" file, but they can be configured in the server to be processed as a "php" file. So, we should rename the file to "hacked_php.txt", replacing dots with underscore, leaving only the last one. This check should be configurable.
Check Allowed Extension
This is the most important check on uploads. The file extension must be checked by type, as defined in the configuration file. The default configurations must match those in the PHP configuration file.
If you get a HTML page, rename it to .jpg, for example, and load it into IE, it will open the HTML page, instead of showing an invalid image. So, for image files, a check must be done to ensure those are really images.
All implementation should provide samples from 01 to 04, compatible with the "html" samples 01, 03, 04 and 05.
At our Wiki (http://wiki.fckeditor.net), there is a dedicated section in the TOC for the server side integration with very basic documentation. Every integration should have its page there. The ASP.Net and PHP pages can be used as a base for the structure.
There is very restricted access to the TOC page, so if your page is missing there, just ask FredCK to add it there once you have completed it.