Saving an HTMLEditorField always uses the 'active' HTMLEditorConfig rather than the config defined on the field when sanitising the content for saving into the database.
I would have expected the field to sanitise its content using the config set on the field.
It means it is not possible to have mor than one kind of server side validation. This probably goes un-noticed as the client will prevent adding invalid content in the JS and the default valid elements is fairly permissive. However, it is possibly to bypass the client restrictions (eg with the source button)
';
$tableField->setValue($htmlValue);
$dummyObject2 = new class extends DataObject {
};
$tableField->saveInto($dummyObject2);
$this->assertEquals($expectedHtmlString, $dummyObject2->Standard);
}
}
```
if you uncomment HTMLEditorConfig::set_active_identifier('table'); then the test will pass.
Setting the active identifier works unless you have multiple different configurations within the same form - as there can only be one active config at time.
Save into could instead use the config attached to the field and fall back to the active one?
Affected Version
tested on 4.12 and 5
Description
Saving an HTMLEditorField always uses the 'active' HTMLEditorConfig rather than the config defined on the field when sanitising the content for saving into the database.
I would have expected the field to sanitise its content using the config set on the field.
It means it is not possible to have mor than one kind of server side validation. This probably goes un-noticed as the client will prevent adding invalid content in the JS and the default valid elements is fairly permissive. However, it is possibly to bypass the client restrictions (eg with the source button)
Steps to Reproduce
This test will reproduce the issue:
expand code sample
```php setOption('valid_elements', implode(',', $defaultValidElements)); HTMLEditorConfig::set_active_identifier('cms'); $field = HTMLEditorField::create('Standard'); $htmlValue = 'standard text
standard text
Header'; $field->setValue($htmlValue); $dummyObject = new class extends DataObject { }; $field->saveInto($dummyObject); $this->assertEquals($expectedHtmlString, $dummyObject->Standard); $tableValidElements = [ 'table', 'thead', 'tbody', 'tr', 'th', 'td', ]; $tableConfig = HTMLEditorConfig::get('table'); $tableConfig->setOption('valid_elements', implode(',', $tableValidElements)); // HTMLEditorConfig::set_active_identifier('table'); $tableField = HTMLEditorField::create('Standard'); $tableField->setEditorConfig($tableConfig); $htmlValue = 'standard text
standard text
if you uncomment
HTMLEditorConfig::set_active_identifier('table');
then the test will pass.Setting the active identifier works unless you have multiple different configurations within the same form - as there can only be one active config at time.
Save into could instead use the config attached to the field and fall back to the active one?
PRs
Thanks for reporting this.
Yup that sounds like the correct course of action. Would you be willing to raise a PR to implement this fix?
PR attached now :)
PR was merged. This will be automatically tagged by GitHub Actions.
This was reverted - see https://github.com/silverstripe/silverstripe-framework/issues/11141 for details