Codeigniter 2.0.2, TinyMCE or CKEditor – style attribute lost after update

If you’re using WYSIWYG TinyMCE or CKEditor and framework CodeIgniter version >2.0, you can have problem with dissapearing style attribute.

You set style like <span style=”color:blue;”></span> and after submitting the form you get <span></span>.

Where the hell is style=”” ?

Probably you have this option enable in config.php file :

$config['global_xss_filtering'] = TRUE;

After disabling global filtering , WYSIWYG do not lose styles.

Personally, I did not want to disable this feature so I made a workaround ;o) 

Edited based on Bart’s suggestion to not mess with core files ;o)

This security was added for some reason, so to not get rid it completly I created array that store the addresses to which the tag style is not to be removed.

You need to create MY_Security.php file as extension for core Security class and add modified function _remove_evil_attributes.

protected function _remove_evil_attributes($str, $is_image){
  // All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns
  $allowed = array("your allowed url's without domain like '/admin/edittext/'");
  if(in_array($_SERVER['REQUEST_URI'],$allowed)){
    $evil_attributes = array('on\w*', 'xmlns');
  }else{
    $evil_attributes = array('on\w*', 'style', 'xmlns');
  }

  if ($is_image === TRUE){
    /*
    * Adobe Photoshop puts XML metadata into JFIF images, 
    * including namespacing, so we have to allow this for images.
    */
    unset($evil_attributes[array_search('xmlns', $evil_attributes)]);
  }

  do {
    $str = preg_replace(
      "#<(/?[^><]+?)([^A-Za-z\-])(".implode('|', $evil_attributes).")(\s*=\s*)([\"][^>]*?[\"]|[\'][^>]*?[\']|[^>]*?)([\s><])([><]*)#i",
      "<$1$6",
      $str, -1, $count
    );
  } while ($count);
  return $str;
}

And that’s it.

download MY_Security.php file