I'm running on Wagtail 1.3.1, Django 1.7.11.
I have activated hallohtml and hallojustify plugins and they appear in toolbar (without icons but buttons are here).
The buttons can be used and the modifications are seen in the textarea (I mean that I can center a field for example and I see it).
When I publish the page, the modifications made by either hallojustify or hallohtml are not saved whereas I can still use the bold/italic buttons and save the content. It looks like the html is cleaned up...
I should miss something but...
#hooks.register('insert_editor_js')
def editor_js():
js_files = [
]
js_includes = format_html_join('\n', '',
((settings.STATIC_URL, filename) for filename in js_files)
)
return js_includes + format_html(
"""
<script>
registerHalloPlugin('hallojustify');
registerHalloPlugin('hallohtml');
</script>
"""
)
By design, Wagtail only allows a subset of HTML tags and attributes, and strips out any that are not on its whitelist. This is done for several reasons: it prevents editors from inserting malicious content (such as <script> tags), and encourages site developers to keep content and presentation separate. (You shouldn't really be including formatting information such as left/right/centre alignment inside rich text content - that should be defined inside your template and CSS.)
You can customise the HTML whitelisting rules using the construct_whitelister_element_rules hook - however, I'd encourage you to reconsider whether you really need to overload the rich text editor with so much functionality, or whether there's a more structured way of achieving what you want (such as StreamField).
Related
I'm writting a website that allows users to paste in html for their blogs.
The html they paste in will then get saved to a file and this is what will be read and changed when the user makes changes. The file will almost be like a complete web page so it will have all your normal tags; head, body, div's, etc. etc.
This means it should allow almost all html and css tags apart from anything that could cause a security breach. So it essentially needs to strip php tags, certain style tags, and html/javascript script tags.
I looked into the strip_tags function but I'd rather not use that because:
a) it removes html comments which I'd rather keep and
b) it would be a lot of working specifying all the tags that it needs to ignore, considering I want it to ignore vastly more tags than I want it to strip.
My guess is that this is something regex-esc using preg_replace?
I'd like to add; I'm newly aware of XSS attacks through CSS too so any ideas/thoughts on how I could block certain css style tags out would be wonderful :)
Any ideas on what I could do?
I've got 2 CKEditor instances. One editor (A) supporting a number of widgets, another editor B has an Advanced Content Filter with these settings to make sure only <p>, <br>, <em> and <strong> tags are allowed in the second editor:
config.allowedContent = 'p br em strong';
My widget contains an image and some other tags and this filter setting:
config.allowedContent = 'img div figure figcaption';
When text containing this kind of widget from editor A is pasted into editor B, I would like the editor to strip out the widget but it doesn't. This makes sense because the allowedContent setting of the widget makes sure that the image is not removed.
However, my second editor does not know anything about this widget and I would like to configure the filter to strip out all widgets pasted in.
I've tried adding the Disallowed Content setting to editor B:
config.disallowedContent = 'img div span figure figcaption';
But without succes, I keep getting the widget div's in editor B.
Same goes for pasting the widget into editor 4 of the sample editors provided by CKEditor. The widget is inserted even if the ACF does not allow it.
Is there another filter option to prevent widgets from sneaking into the body?
Unfortunately there's no easy way to filter pasted events with the ACF at the moment - see http://dev.ckeditor.com/ticket/11115. It has the 4.5.0 milestone assigned, but I don't feel that we'll manage to make this change in this version. There are architectural limitations which make this ticket very complex.
What you could try to do is to intercept pasted content on the editor#paste, parse the content and filter pasted widgets manually. The hard thing (the actual #11115 blocker) is that in the pasted content you'll find upcasted versions of widgets, with all wrappers, all internal attributes etc. ACF cannot be applied to this content directly because ACF is supposed to filter downcasted versions of widgets. Therefore you need to filter this more manually or with a special CKEDITOR.filter instance.
You can find this question useful - Apply CKEditor Advanced Content Filter to a string.
I'm having a hard time finding a good WYSIWYG editor, tried CKeditor & TinyMCE and found out that they strip out a lot of tags and headers and they ruin the page.
Any recommendations of professional editors? i want it to leave the page as it is but only change the areas that people "touched".
Thanks
TinyMCE and other editors as-default usually do some level of clean up.
For example with TinyMCE there are configuration options such as cleanup and clean up on startup which can be used to control the cleanup actions.
tinyMCE.init({
...
cleanup : false
});
Documentation as taken from TinyMCE wiki:
This option enables or disables the built-in clean up functionality. TinyMCE is equipped with powerful clean up functionality that enables you to specify what elements and attributes are allowed and how HTML contents should be generated.
This option is set to true by default, but if you want to disable it you may set it to false.
Notice: It's not recommended to disable this feature.
It might be worth mentioning that the browser usually messes with the HTML. The clean up not only fixes several problems with the browsers' parsed HTML document, like paths etc., it also makes sure it is a correct XHTML document, with all tags closed, the " at the right places, and things like that.
I haven't seen anything like this before but was thinking of trying to create something like this
At the moment I'm using the wysiwyg module for Drupal with tiny_mce. However, it keeps inserting all kinds of superfluous spans and other trash elements in my markup. I want to use wysiwyg mostly for semantic markup with css classes, any inline styles are a problem, because I have to clean up my html by hand - sort of defies the purpose of having a wysiwyg editor altogether. What other wysiwyg editor should I try, which will behave more sensibly?
WYMeditor, available via the WYSIWYG API, is not the fanciest editor, but it does produce XHTML markup.
BUEditor integrated via the BUEditor module, is an easily extensible system that allows you to easily define buttons and associated markup. It is a favorite of a markup-obsessed colleague of mine, so I imagine it does a good job.
In my experience ck editor is a very good solution.
The only problem i have seen it have is drop a instead of leaving a box blank
It has paste plain text and paste from word features that prevent extra markup from being dropped in
When working with a cms i think what is important usually is not how well you can enter markup, as a developer you can usually just use a text area and drop html, but how the editors will enter content.
Ck editor usually produces very clean results, as long as direct pasting from Word does not take place
As people have helped me out in the comments, there are two ways to integrate it with Drupal
WYSIWYG API module, and standalone module cKEditor
I really wanted to go with CKEditor myself but after trying to get rid of that adding breaks and spaces everywhere stuff I had to revert to plain text input.
I am currently considering markitup!, which you may want to investigate as well.
I am hopeful as I have good experiences with it on WP but I didn't get to try it on Drupal just yet.
I would suggest BUEditor, you can configure all buttons and thus control the output
Unfortunately I have yet to find an editor that doesn't try to mess with your code in one way or another. In Drupal, I've tried TinyMCE, FCKEditor, and CKEditor. In non-Drupal projects I've used Ephox EditLive and the YUI 2 Rich Text Editor. All of them try to "fix" or autoformat your code in one way or another, and to that end they are all frustrating. Of that group, Ephox EditLive is the worst offender, and ironically it's the only one that isn't free.
I've resigned myself to plain text editing in Drupal whenever there's a slight chance I may need to control the underlying HTML. My WYSIWYG editor is off by default; I whitelist pages in as needed. It's tedious, but for me it's better than playing tug-of-war with the WYSIWYG for control.
I've tried various editors, both desktop applications and web-based RTEs, but have not found anything that works very well. All too often, they mess up code, adding in "tag soup". Even the ones that claim to only produce valid code often produce a total mess of span tags and style attributes.
Here are some of the features I'm looking for:
mainly to use as "content creation" rather than creating whole pages or sites (I normally do the design side by hand)
supports all HTML tags (which includes <small>, <code>, <kbd>, <dl> etc)
can attach classes to the current element - many editors will insert span tags, causing mess like: <p><span style="...">...</span></p>
doesn't change code that I add (I've had editors remove hidden input fields and other stuff)
doesn't add deprecated attributes, eg border and cellspadding often get added on images and tables.
would love it if it could pick up the stylesheet I use for my page and obviously apply the styles I select
if it's a desktop app, being Linux-based is gonna be a big plus
Anyone have any recommendations? Here are some of the ones I've tried: TinyMCE, FCKeditor and various others on the web; Dreamweaver (briefly), Expression Web and KompoZer on the desktop.
Well, I'm not aware of all the existing WYSIWYG editors around, but have you considered the alternative of using a code editor and create the HTML code by hand? I know it may sound crazy at first hand, but believe me, when you start to feel comfortable with it you'll become more productive, the code is cleaner and of course, you get more flexibility.
Personally I don't like dreamweaver, but it's code editor is very good because of the intellisense that helps you remembering the tags and attributes.
I've haven't tried it, but read of it: you could try the Amaya web editor (and if you have any comments on this editor, I'd like to read them).
I expect it's mostly standards-compliant (but, doesn't run javascript).