search

craftcms / ckeditor

Edit rich text content in Craft CMS using CKEditor.
https://plugins.craftcms.com/ckeditor
GNU General Public License v3.0
46 stars 23 forks source link

Video Embeds Stripped Out Regardless of HTML Purifier Config #59

Closed itsmattsoria closed 1 year ago

itsmattsoria commented 1 year ago

Description

The Default.json config for HTML Purifier that is included on installation has the following lines, which should prevent YouTube and Vimeo video embeds from being stripped out of a CKEditor field on save, but embeds from either platform are still being stripped out.

  "HTML.SafeIframe": true,
  "URI.SafeIframeRegexp": "%^(https?:)?//(www.youtube.com/embed/|player.vimeo.com/video/)%"

I wasn't totally sure if this issue belongs here, or in the Craft starter, or with HTML Purifier itself, but for reference, I tested this with Redactor, and it wasn't an issue there, the embeds remained after save.

Steps to reproduce

  1. Do a fresh Craft install using the Quick Start Guide
  2. Install the latest version of CKEditor with ddev composer require craftcms/ckeditor -w && ddev exec php craft plugin/install ckeditor
  3. Keep the default installation settings, which at the time of writing includes https://cdn.ckeditor.com/ckeditor5/32.0.0/classic/ckeditor.js as the CKEditor Build URL.
  4. Create a CKEditor field and add it to a section for use (you'll need to create a new section if starting fresh). Keep the default settings, which leaves "Purify HTML" as checked, and uses the Default config.
  5. Go to the entry where the field was added, and paste in a YouTube or Vimeo URL ( I recommend this one). The editor should automatically take that and produce the iframe code that displays it as an embed within the editor.
  6. Hit "save" on the entry and see your empty field where the embed should remain.

Additional info

i-just commented 1 year ago

Hi, thanks for reaching out. This seems to be related to: https://github.com/ezyang/htmlpurifier/issues/302. CKEditor 5 uses oembed to add media (CKEditor 4 used iframe, which is why it worked there). We’ll talk about options internally, and I’ll let you know once we’ve done so.

itsmattsoria commented 1 year ago

@i-just Ahh, yep. Dang. Well thank you for that update, I appreciate it!

brandonkelly commented 1 year ago

Craft 3.7.66 and 4.3.9 are out with an update to the HTML Purifier config to allow oembed tags (via craftcms/cms#12675). There’s also a new Embedding Videos/Media in CKEditor 5 section in the plugin readme.

FrDH commented 11 months ago

We're on Craft 4.5.5 but YouTube video's are always stripped out when using HTML purifier, regardless of what config is used.

kevinmu17 commented 10 months ago

4.5.9 also not working unless uncheck the Purify HTML option in the field.

  "HTML.SafeIframe": true,
  "URI.SafeIframeRegexp": "%^(https?:)?//(www\\.youtube\\.com/embed/|www\\.youtube\\.com/watch\\?v=.+|youtu\\.be/.+|www\\.youtube(?:-nocookie)?\\.com/embed/|player\\.vimeo\\.com/video/)%"

Add this to your htmlpurifier json config @FrDH and try again