在 CKEditor 中保留 SCRIPT 标签(及更多)

发布于 2024-08-11 05:34:49 字数 1387 浏览 11 评论 0原文

是否可以在 CKEditor 中创建一个不会被编辑器本身触及的代码块,并且在用户明确更改之前将保持其预期状态?我一直在尝试输入 javascript 变量(绑定在脚本标签中)和下面的 Flash 影片,但 CKEditor 继续重写我粘贴的代码/标记,并这样做破坏了我的代码。

我正在使用以下设置:

<script type="text/javascript">
  var editor = CKEDITOR.replace("content", {
    height : "500px",
    width : "680px",
    resize_maxWidth : "680px",
    resize_minWidth : "680px",
    toolbar :
    [
      ['Source','-','Save','Preview'],
      ['Cut','Copy','Paste','PasteText','PasteFromWord','-','Print', 'SpellChecker', 'Scayt'],
      ['Undo','Redo','-','Find','Replace','-','SelectAll','RemoveFormat'],
      ['Bold','Italic','Underline','Strike','-','Subscript','Superscript'],
      ['NumberedList','BulletedList','-','Outdent','Indent','Blockquote'],
      ['JustifyLeft','JustifyCenter','JustifyRight','JustifyBlock'],
      ['Link','Unlink','Anchor'],
      ['Image','Table','HorizontalRule','SpecialChar']
    ]
  });
  CKFinder.SetupCKEditor( editor, "<?php print url::base(); ?>assets/ckfinder" );
</script>

我认为最理想的解决方案是保留包含 class="preserve" 的任何标记的内容,从而实现比有限的独占更多的功能。

更新:我认为这个问题的解决方案位于 CKEDITOR.config.protectedSource(),但事实证明我的正则表达式经验还太幼稚,无法处理这个问题。我将如何避免所有包含“保留”类的标签被 CKEditor 触及?

Is it possible to create a block of code within the CKEditor that will not be touched by the editor itself, and will be maintained in its intended-state until explicitly changed by the user? I've been attempting to input javascript variables (bound in script tags) and a flash movie following, but CKEditor continues to rewrite my pasted code/markup, and in doing so breaking my code.

I'm working with the following setup:

<script type="text/javascript">
  var editor = CKEDITOR.replace("content", {
    height : "500px",
    width : "680px",
    resize_maxWidth : "680px",
    resize_minWidth : "680px",
    toolbar :
    [
      ['Source','-','Save','Preview'],
      ['Cut','Copy','Paste','PasteText','PasteFromWord','-','Print', 'SpellChecker', 'Scayt'],
      ['Undo','Redo','-','Find','Replace','-','SelectAll','RemoveFormat'],
      ['Bold','Italic','Underline','Strike','-','Subscript','Superscript'],
      ['NumberedList','BulletedList','-','Outdent','Indent','Blockquote'],
      ['JustifyLeft','JustifyCenter','JustifyRight','JustifyBlock'],
      ['Link','Unlink','Anchor'],
      ['Image','Table','HorizontalRule','SpecialChar']
    ]
  });
  CKFinder.SetupCKEditor( editor, "<?php print url::base(); ?>assets/ckfinder" );
</script>

I suppose the most ideal solution would be to preserve the contents of any tag that contains class="preserve" enabling much more than the limited exclusives.

Update: I'm thinking the solution to this problem is in CKEDITOR.config.protectedSource(), but my regular-expression experience is proving to be too juvenile to handle this issue. How would I go about exempting all tags that contain the 'preserved' class from being touched by CKEditor?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

め可乐爱微笑 2024-08-18 05:34:49

在 CKEDITOR 文件夹中,您有一个 config.js 文件。打开它并粘贴代码:

CKEDITOR.editorConfig = function( config ) {
    config.allowedContent = {
        script: true,
        $1: {
            // This will set the default set of elements
            elements: CKEDITOR.dtd,
            attributes: true,
            styles: true,
            classes: true
        }
    };
};

它将允许在源模式下使用 标记。

In CKEDITOR folder you have a config.js file. Open it and paste the code:

CKEDITOR.editorConfig = function( config ) {
    config.allowedContent = {
        script: true,
        $1: {
            // This will set the default set of elements
            elements: CKEDITOR.dtd,
            attributes: true,
            styles: true,
            classes: true
        }
    };
};

It will allow <script>...</script> tags in Source mode.

临走之时 2024-08-18 05:34:49

建议 1: 创建单独的纯文本区域,供管理员输入脚本/HTML 代码。

建议2:引入一个bbcode,例如[script][/script][html][/html],管理员可以使用放置脚本/ HTML 代码,并让服务器端将它们翻译为 和 HTML 代码。确保在 CKEditor 中显示保存的内容时,您需要先让服务器端将它们转换为 bbcode(否则 CKEditor 会将它们删除)。或者更简单的方法是在输入提交的内容时将其存储在数据库中,并且仅在显示页面时进行翻译。

建议3:由于您想使用class="preserve"来标记您不希望CKEditor删除的标签,因此在初始化编辑器时添加以下JavaScript行:

// protect <anytag class="preserve"></anytag>
CKEDITOR.config.protectedSource.push( /<([\S]+)[^>]*class="preserve"[^>]*>.*<\/\1>/g );
// protect <anytag class="preserve" /><
CKEDITOR.config.protectedSource.push( /<[^>]+class="preserve"[^>\/]*\/>/g );

Suggestion 1: Create separate plain textarea for the admin to enter the scripts / HTML code.

Suggestion 2: Introduce a bbcode, like [script][/script] or [html][/html] that the admins can use to put the scripts / HTML code and have your server-side translate them into <script></script> and HTML code. Make sure when showing a saved content into the CKEditor, you need to have your server-side translate them into the bbcode first (or CKEditor will strip them out). Or the less-hassle way is to store the submitted content in the database as it is entered and only do the translation when displaying the page.

Suggestion 3: Since you want to use class="preserve" to mark tags you don't want CKEditor to strip out, then add the following JavaScript lines when initializing the editor:

// protect <anytag class="preserve"></anytag>
CKEDITOR.config.protectedSource.push( /<([\S]+)[^>]*class="preserve"[^>]*>.*<\/\1>/g );
// protect <anytag class="preserve" /><
CKEDITOR.config.protectedSource.push( /<[^>]+class="preserve"[^>\/]*\/>/g );
拒绝两难 2024-08-18 05:34:49

问题不在于 CKEditor。相反,问题出在运行站点本身的 MVC 引擎上。 Kohana 在其配置中有一个默认启用的 global_xss_filtering。这可以防止提交脚本标签,从而防止您的网站受到脚本攻击。将此值更改为 false 将允许在表单中提交

/* /(system|application)/config/config.php - line 66 */
/**
 * Enable or disable global XSS filtering of GET, POST, and SERVER data. This
 * option also accepts a string to specify a specific XSS filtering tool.
 */
$config['global_xss_filtering'] = FALSE;

The issue is not with the CKEditor. Instead, the issue was with the MVC-Engine running the Site itself. Kohana has a global_xss_filtering within its configuration that is enabled by default. This prevents the submission of script tags, to prevent scripting-attacks on your site. Changing this value to false will permit the submission of <script> tags in forms, but it also opens up the site to potential security issues that can be very serious. It is advisable that you not disable global_xss_filtering.

/* /(system|application)/config/config.php - line 66 */
/**
 * Enable or disable global XSS filtering of GET, POST, and SERVER data. This
 * option also accepts a string to specify a specific XSS filtering tool.
 */
$config['global_xss_filtering'] = FALSE;
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文