From bd83adaa7865fbcbbc1fc4c497331e2a3ddceb37 Mon Sep 17 00:00:00 2001
From: Mischa POSLAWSKY <perl@shiar.org>
Date: Fri, 29 Sep 2017 13:06:04 +0200
Subject: [PATCH] edit: paste limited html, enforce filter on all events

Recent feature for more advanced restrictions, allowing rich text without
unwanted styling attributes.  Unfortunately, the filter is not applied for
"internal" sources which apparently includes Word in Linux, so manually
execute for any contaminated contents.
---
 edit.js | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/edit.js b/edit.js
index dfa4a6d..6dcb705 100644
--- a/edit.js
+++ b/edit.js
@@ -45,6 +45,21 @@ CKEDITOR.on('dialogDefinition', function (event) {
 
 CKEDITOR.on('instanceCreated', function (event) {
 	var editor = event.editor;
+	var pastefilter = 'h2 h3 p ul ol li blockquote em i strong b; a[!href]; img[alt,!src]';
+
+	editor.on('paste', function (e) {
+		var html = e.data.dataValue;
+		if (!/<[^>]* style="/.test(html) && !/<font/.test(html)) return;
+
+		// force pasteFilter on contents containing styling attributes
+		var filter = new CKEDITOR.filter(pastefilter),
+			fragment = CKEDITOR.htmlParser.fragment.fromHtml(html),
+			writer = new CKEDITOR.htmlParser.basicWriter();
+		filter.applyTo(fragment);
+		fragment.writeHtml(writer);
+		e.data.dataValue = writer.getHtml();
+	});
+
 	editor.on('configLoaded', function () {
 		var config = editor.config;
 		config.language = 'nl';
@@ -53,7 +68,7 @@ CKEDITOR.on('instanceCreated', function (event) {
 		config.allowedContent = true;
 		config.entities = false; // keep unicode
 		config.filebrowserImageUploadUrl = '/edit?type=img';
-		config.forcePasteAsPlainText = true;
+		config.pasteFilter = pastefilter;
 		config.contentsCss = document.styleSheets[0].href;
 		config.toolbar = [
 			['Inlinesave', '-', 'Undo', 'Redo'],
-- 
2.30.0