Last modified 6 years ago Last modified on 05/10/08 14:08:32

Server Side Integration Status

This page aims to document the status of all server side implementations available in the FCKeditor. The JavaScript implantation is also included. In this way all implementation will have the same expected quality level, simplifying also the introduction of new features in all languages.

You will find list of features required for all integration languages, separated in the following blocks:

  • FCKeditor Creator: the API used to create FCKeditor instances and load them in a page.
  • File Browser Connector and Quick Uploader: the communication system for the generic File Browser and Quick Uploader interfaces
  • Other: other features related to the integration

FCKeditor Creator

AFP ASP ASP.NetColdFusionJava Lasso Perl PHP PythonJavaScript
Instance Creator System X X X X X X X X
BasePath X X X X X X X
"Create()" function X X X X X X X X
"CreateHtml()" function X X X X X X X
Configuration Object X X X X X X X X
"FCKeditor_IsCompatibleBrowser()" function X X X X X X X X

Instance Creator System

A language compatible implementation to create FCKeditor instances, according to the Developer’s Guide specifications ( The BasePath, Width, Height, ToolbarSet and Value properties are required.

A similar implementation must be provided in a TAG based server side language.


The integration file must point, by default, to the "/fckeditor/" folder (lowercased).

"Create()" function

The Create() function which outputs the editor HTML in the place where the function is called. It can be also replaced by a TAG based system.

"CreateHtml()" function

The CreateHtml() function which retrieves the editor HTML so developers can use it in other ways in their code.

Configuration Object

A collection or object which holds configurations set in the moment of the instance creation. For example, by calling "oFCKeditor.Config!FullPage? = true" in the JavaScript integration. This object must accept Boolean, String and Integer values.

The integration must be "smart", depending on the specific language features. For example, with ASP.Net, setting like "CustomConfigurationsPath" can be set to something like "~/myconfig.js", where the tilde must be resolved in the server side to point to the application root.

We are aware about limitations of the current system. It is not possible to set new toolbars, ProtectedSource or any object or array based configuration. We’ll most probably be implementing a JSON compatible system soon.

"FCKeditor_IsCompatibleBrowser()" function

The integration must provide a generic FCKeditor_IsCompatibleBrowser() function that is independent of the instance creation. In this way developers can check the FCKeditor compatibility for their own needs, without having to create an editor instance.

File Browser Connector and Quick Uploader

Note: As of version 2.5, the quick uploader will use the File Browse connector uploading features.

AFP ASP ASP.NetColdFusionJava Lasso Perl PHP Python
Basic Commands X X X X X X
Explicit Activation X X X X X
Configuration File X X X X X X

Security Checks:

AFP ASP ASP.NetColdFusionJava Lasso Perl PHP Python
Allowed Type X X X X X
Avoid paths with ".." X X X X X
ForceSingleExtension X X X X X
Check Allowed Extension X X X X X X
Check images X X X X X

Basic Commands

Implementation of the connector basic commands: GetFolders, GetFoldersAndFiles, CreateFolder and FileUpload.

Explicit Activation

All connectors must be explicitly activated by the users. There are many people out there using FCKeditor that are not even aware about the existence of the connectors. If the connectors are enabled by default, hackers can use them to upload files to the server without users notice.

Configuration File

Many features of the connector must be configurable by the developers with easy. The PHP configuration file can be used as the base of the required configurable settings.

Allowed Type

Check if and allowed file Type has been requested. For now, the allowed types are: File, Image, Flash and Media. If not specified, it defaults to "File". This list may be more flexible in the future.

Avoid paths with ".."

To avoid hackers accessing unauthorized path like "../../../", we must refuse any request for Folders with two points in the path.


Another security issue may be found if users upload files named like "hacked.php.txt". Connectors may check that file as a "txt" file, but they can be configured in the server to be processed as a "php" file. So, we should rename the file to "hacked_php.txt", replacing dots with underscore, leaving only the last one. This check should be configurable.

Check Allowed Extension

This is the most important check on uploads. The file extension must be checked by type, as defined in the configuration file. The default configurations must match those in the PHP configuration file.

Check images

If you get a HTML page, rename it to .jpg, for example, and load it into IE, it will open the HTML page, instead of showing an invalid image. So, for image files, a check must be done to ensure those are really images.


AFP ASP ASP.NetColdFusionJava Lasso Perl PHP PythonJavaScript
Samples X X X X X X X X X
Documentation X X X X X X


All implementation should provide samples from 01 to 04, compatible with the "html" samples 01, 03, 04 and 05.


At our Wiki (, there is a dedicated section in the TOC for the server side integration with very basic documentation. Every integration should have its page there. The ASP.Net and PHP pages can be used as a base for the structure.

There is very restricted access to the TOC page, so if your page is missing there, just ask FredCK to add it there once you have completed it.

© 2003 – 2012 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy