From: Mischa POSLAWSKY <perl@shiar.org>
Date: Fri, 29 Sep 2017 11:06:04 +0000 (+0200)
Subject: edit: paste limited html, enforce filter on all events
X-Git-Tag: v2.3~10
X-Git-Url: http://git.shiar.net/minimedit.git/commitdiff_plain/bd83adaa7865fbcbbc1fc4c497331e2a3ddceb37

edit: paste limited html, enforce filter on all events

Recent feature for more advanced restrictions, allowing rich text without
unwanted styling attributes.  Unfortunately, the filter is not applied for
"internal" sources which apparently includes Word in Linux, so manually
execute for any contaminated contents.
---

diff --git a/edit.js b/edit.js
index dfa4a6d..6dcb705 100644
--- a/edit.js
+++ b/edit.js
@@ -45,6 +45,21 @@ CKEDITOR.on('dialogDefinition', function (event) {
 
 CKEDITOR.on('instanceCreated', function (event) {
 	var editor = event.editor;
+	var pastefilter = 'h2 h3 p ul ol li blockquote em i strong b; a[!href]; img[alt,!src]';
+
+	editor.on('paste', function (e) {
+		var html = e.data.dataValue;
+		if (!/<[^>]* style="/.test(html) && !/<font/.test(html)) return;
+
+		// force pasteFilter on contents containing styling attributes
+		var filter = new CKEDITOR.filter(pastefilter),
+			fragment = CKEDITOR.htmlParser.fragment.fromHtml(html),
+			writer = new CKEDITOR.htmlParser.basicWriter();
+		filter.applyTo(fragment);
+		fragment.writeHtml(writer);
+		e.data.dataValue = writer.getHtml();
+	});
+
 	editor.on('configLoaded', function () {
 		var config = editor.config;
 		config.language = 'nl';
@@ -53,7 +68,7 @@ CKEDITOR.on('instanceCreated', function (event) {
 		config.allowedContent = true;
 		config.entities = false; // keep unicode
 		config.filebrowserImageUploadUrl = '/edit?type=img';
-		config.forcePasteAsPlainText = true;
+		config.pasteFilter = pastefilter;
 		config.contentsCss = document.styleSheets[0].href;
 		config.toolbar = [
 			['Inlinesave', '-', 'Undo', 'Redo'],