Welcome to Geeklog, Anonymous Monday, December 09 2024 @ 03:22 pm EST

Geeklog Forums

Is kses really a good idea with FCKeditor??


Status: offline

monoclast

Forum User
Junior
Registered: 07/08/06
Posts: 26
I've read http://www.geeklog.net/faqman/index.php?op=view&t=32, and I am trying so hard to like the kses stripping functionality of Geeklog, but it constantly gets in the way of simple things we want to do in stories we want to publish!! It's driving me mad.

For instance, I have a table in a story, and I want the top row of the table to be column headers. I want these column headers to have a black background with white text.

To control table cell background colors, FCKeditor uses the <td bgcolor> element and attribute. So I log in as Admin, and go to Configuration > Miscellaneous > HTML Filtering, view the Admin HTML list, and add td > bgcolor. That works. Yey!

Now, to control font color within the table cell, FCKeditor uses the <span style> element and attribute. So I log in as Admin, and go to Configuration > Miscellaneous > HTML Filtering, view the Admin HTML list, and add span > style. But even though I have done this, Geeklog strips the content of the style attibute away!

Geeklog strips this:

Text Formatted Code
<td bgcolor="#000000"><span style="color: rgb(255, 255, 255);"><strong>Map</strong></span></td>


...down to this:

Text Formatted Code
<td bgcolor="#000000"><span style=""><strong>Map</strong></span></td>


Which results in black text on a black background! Grrr!

So is there a way to prevent this?

I have to ask (and I mean no disrespect - it's just frustrating as hell to me):

Why offer the FCKeditor if you only turn around and cripple the living crap out of it??

Why do you not let me decide who I will trust to create articles on my site? I don't want to have to give out my root password to people just so they can use the editor to its full potential.

Sorry for the tone, but I've been wasting lots of time running into issue after issue like this with FCKeditor and kses, and it's quite frustrating!
-mono
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
As far as content coming from your users is concerned, it's really in your own best interest that these things are filtered ...

I can understand your frustration from an Admin's point of view, though. That's why there's the "Skip HTML Filter for Root?" option ...

Inline CSS isn't going to work with kses. That's a bug / limitation of kses. For missing tags and attributes, maybe someone could write an "import" script that makes it easier to get a working set of HTML tags and attributes into the configuration?

bye, Dirk
 Quote

Status: offline

monoclast

Forum User
Junior
Registered: 07/08/06
Posts: 26
Quote by: Dirk

As far as content coming from your users is concerned, it's really in your own best interest that these things are filtered ...

I can understand your frustration from an Admin's point of view, though. That's why there's the "Skip HTML Filter for Root?" option ...

Inline CSS isn't going to work with kses. That's a bug / limitation of kses. For missing tags and attributes, maybe someone could write an "import" script that makes it easier to get a working set of HTML tags and attributes into the configuration?

bye, Dirk


To me, this is a fundamental flaw in logic.

On the one hand, you take the position that it's in my own best interests that content from ALL users – even users I happen to deem safe – is filtered. Yet on the other hand, you are providing access to the FCKeditor to *all* users when it is enabled! Either you want Geeklog users to enjoy FCKeditor, or not - you can't have it both ways. If you try to have it both ways, you end up with this very frustrating scenario where something that could be excellent is crippled / broken instead. At best, you're setting up FCKeditor for failure with this logic, which is, like it or not, a bad user experience for Geeklog users and administrators.

What you seem to be telling me is my only recourse is to:

a. Give all story admins access to the root account so that they can use FCKeditor the way it is designed to be used. I refuse to do this. Why have the story admin group at all then?
-or-
b. Disable FCKeditor completely, since there is no way to get it working correctly for all story editors.
I'd hate to do that, because the alternative Plain Text and HTML editors pretty much suck.

Neither is an acceptable answer to this problem, to me. I don't see the point in offering FCKeditor to your users if half of its features are, in effect, hopelessly broken.

Please reconsider your position on this. This is not good for the Geeklog community as it stands. You might as well remove FCKeditor completely, IMO. It's a bad user experience.
-mono
 Quote

happy

Anonymous
happy
mono,

try glfusion instead www.glfusion.org

they forked from geeklog a while back and i'm setting up all my new sites with it. its very nice

cheers!

 Quote

Status: offline

1000ideen

Forum User
Full Member
Registered: 08/04/03
Posts: 1298
No problem, you can hack this in lib-common.php line 2966

Find: SEC_inGroup( 'Root' )) and replace with SEC_inGroup( 'Story Admin' ))

Now all HTML is being skipped for story admins rather than root. That`s good when you have a limited number of story admins you can trust.
 Quote

Status: offline

monoclast

Forum User
Junior
Registered: 07/08/06
Posts: 26
Quote by: 1000ideen

No problem, you can hack this in lib-common.php line 2966

Find: SEC_inGroup( 'Root' )) and replace with SEC_inGroup( 'Story Admin' ))

Now all HTML is being skipped for story admins rather than root. That`s good when you have a limited number of story admins you can trust.


Mine happened to be in a different place, probably because I've got different modifications:
Text Formatted Code
3007 // The following modification was made by monoclast on 03/13/2009 to fix this
3008 // problem: <http://www.geeklog.net/forum/viewtopic.php?showtopic=86652>
3009     if( isset( $_CONF['skip_html_filter_for_root'] ) &&
3010              ( $_CONF['skip_html_filter_for_root'] == 1 ) &&
3011              SEC_inGroup( 'Story Admin' ))      // SEC_inGroup( 'Root' ))
3012     {
3013         return $str;
3014     }

Anyhow, I just checked and it does appear to work! So I thank you!!

Now I would love to see a configuration option for this sort of thing in Geeklog at some point in the future, so I don't have to make this hack every time I upgrade. Should I file a bug report on it, or what?
-mono
 Quote

Status: offline

1000ideen

Forum User
Full Member
Registered: 08/04/03
Posts: 1298
Yes, I think it would be good to have a feature request for it. There should be a drop down box for "skip root for ???" and then a list of the groups.

This is very helpful if there is a limited user group as it is typical on a homepage where the owner is not root. This is the case with all my friends for whom I set up a geeklog.
 Quote

Status: offline

jmucchiello

Forum User
Full Member
Registered: 08/29/05
Posts: 985
The proper way to do it would be to create a feature "htmlfilter.bypass" (or something). Then you could assign this permission to any group you wanted (and even take it away from root). Then the configuration option is unnecessary. Then change the whole if to if (SEC_HasAccess("htmlfilter.bypass"Wink).
 Quote

All times are EST. The time is now 03:22 pm.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content