search

pimcore / pimcore

Core Framework for the Open Source Data & Experience Management Platform (PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce)
http://www.pimcore.com
Other
3.38k stars 1.43k forks source link

Removal of ckeditor-plugin "clipboard" (see #3831) breaks advanced content filter #5151

Closed thgross closed 4 years ago

thgross commented 4 years ago

In #3831, ckeditor's "clipboard"-plugin was removed. There is no need to remove the plugin just because the paste-buttons don't work anymore in modern browsers. The main problem with this is that ckeditor needs the "clipboard"-plugin to trigger it's advanced content filter (acf). This is why even the most basic preset for any ckeditor configuration has this plugin enabled.

The "clipboard"-plugin needs to be re-added to ckeditor.

Edit: to clarify - the acf still works, because on reopening a document with a wysiwyg that contains unallowed styles, the content gets properly filtered. However, if you just paste content to the wysiwyg and then save, the content is NOT being filtered (but it should).

Expected behavior

Pasting any formatted text into an wysiwyg-editor triggers ckeditors acf. Tihs filter ist enabled by default and removes any unwanted formatting, ie. styles.

Actual behavior

Pasting formatted text keeps any unwanted styles.

Steps to reproduce

  1. Copy the colorful line of text from https://ckeditor.com/docs/ckeditor4/latest/examples/acf.html in any wysiwyg-editor in pimcore.
solverat commented 4 years ago

Confirmed. Re-adding the clipboard plugin and use something like this could be a solution: https://github.com/ckeditor/ckeditor4/issues/469#issuecomment-524185244

solverat commented 4 years ago

@brusch what do you think? I'm wondering why this isn't treated as serious as it should be because this is a real issue here. You're currently allowed to add evil stuff into a wysiwyg field...

brusch commented 4 years ago

Needs some further investigation, haven't got the time yet. 😐 If you have a working solution, we'd be happy to get a PR for it and test it.

solverat commented 4 years ago

TLDR; #3831 needs to be reverted.

Tests

Before new Fix on Firefox

After new Fix on Firefox

Fix

Add this to pimcore.object.tags.wysiwyg and pimcore.document.tags.wysiwyg:

this.ckeditor.on('beforeCommandExec', function(event) {
    if (event.data.name === 'paste') {
        event.editor._.forcePasteDialog = true;
    }

    if (event.data.name === 'pastetext' && event.data.commandData.from === 'keystrokeHandler') {
        event.cancel();
    }
});