Ckeditor4: Allow override of default CKEditor.config.protectedSource rules

Created on 24 May 2019  路  3Comments  路  Source: ckeditor/ckeditor4

Type of report

Feature request

Provide description of the new feature

Hello,

we are using Media embed plugin to load youtube/instagram/facebook posts inside our richtext editor. Problem that we encountered is that ckeditor 4.x auto protects <script> tags by default and does not give option to remove that protection. Even through CKEditor.config.protectedSource.

I followed the problem to this line of source:
https://github.com/ckeditor/ckeditor-dev/blob/major/core/htmldataprocessor.js#L967

While I understand why this kind of "hardcoded" protection would be implemented I think it breaks some cool features of Media embed plugin.

What I would like to propose is to add opt-in flag to CKEditor.confg like:

allowDangerousProtectedSoruce : Boolean

If true, disables CKEditor.protectedSource default restrictions for tags like script, noscript etc.

config.allowDangerousProtectedSoruce = true;

I am also open to discuss further for alternatives and if needed implement this as a PR.

Thanks!

confirmed feature

All 3 comments

Hello @capJavert,

thanks for the request and in-depth analysis of this behavior 馃憤

While I understand why this kind of "hardcoded" protection would be implemented I think it breaks some cool features of Media embed plugin.

Yes, it is mostly done from security reasons as allowing script tags would be big security risk. I also agree that many of media embed scripts loads additional JS which adds some cool stuff/features to the embedded content, so without it the experience is not the same.


I see two solutions - feature in CKEditor or additional integration layer on the backend (or content post processing).

Adding a config option in editor is one of the approaches (we already have ACF which is kind of similar and when turned off allows most of the content - apart from script tags馃槈) so it's doable and we are open for PRs so feel free to contribute.

The other solution would be content post-processing. After the content is fetched from CKEditor and saved to the storage you modify it be replacing protected script tags by regular ones. This way on the frontend layer (where the content is presented) you will have full featured media embeds. This can be done by 3rd-party integration or using CKEditor data pipeline and toDataFormat event.

Ok cool, I am also open to contribute so I will hopefully start to work on it soon.

I will reference this issue when PR is opened.

@f1ames added draft PR. We can continue discussion there I suppose.

Was this page helpful?
0 / 5 - 0 ratings