Codeigniter 2.0.2, TinyMCE or CKEditor – style attribute lost after update
If you’re using WYSIWYG TinyMCE or CKEditor and framework CodeIgniter version >2.0, you can have problem with dissapearing style attribute.
You set style like <span style=”color:blue;”></span> and after submitting the form you get <span></span>.
Where the hell is style=”” ?
Probably you have this option enable in config.php file :
$config['global_xss_filtering'] = TRUE;
After disabling global filtering , WYSIWYG do not lose styles.
Personally, I did not want to disable this feature so I made a workaround ;o)
Edited based on Bart’s suggestion to not mess with core files ;o)
This security was added for some reason, so to not get rid it completly I created array that store the addresses to which the tag style is not to be removed.
You need to create MY_Security.php file as extension for core Security class and add modified function _remove_evil_attributes.
protected function _remove_evil_attributes($str, $is_image){
// All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns
$allowed = array("your allowed url's without domain like '/admin/edittext/'");
if(in_array($_SERVER['REQUEST_URI'],$allowed)){
$evil_attributes = array('on\w*', 'xmlns');
}else{
$evil_attributes = array('on\w*', 'style', 'xmlns');
}
if ($is_image === TRUE){
/*
* Adobe Photoshop puts XML metadata into JFIF images,
* including namespacing, so we have to allow this for images.
*/
unset($evil_attributes[array_search('xmlns', $evil_attributes)]);
}
do {
$str = preg_replace(
"#<(/?[^><]+?)([^A-Za-z\-])(".implode('|', $evil_attributes).")(\s*=\s*)([\"][^>]*?[\"]|[\'][^>]*?[\']|[^>]*?)([\s><])([><]*)#i",
"<$1$6",
$str, -1, $count
);
} while ($count);
return $str;
}
And that’s it.
thanks man for this tutorial but i hope to provide another way to have protect database from some specific tags because in some times we need to allow visitors to play with some styles,how to do that?
i also will search,maybe do tutorial like this in the future
thanks again
It seems to be work well but it converts to <style> this makes me the content to echo. Please any idea will be helpful
Hi sir, can you give me where folder i paste this file? and how i can get it?
Hai i tried this but it is not working
It does work for almost everyone, so either you have something else in you code that cause this (some library for example), or you need to modify this
if(in_array($_SERVER['REQUEST_URI'],$allowed)){
to meet your conditionthanks, now it is working fine. Really thanks for your support.
Thank you so much Eliza. It was giving me alot of problems. Thank you so much
Thank you so much, it was real pain, i tried different editors and configurations. but this is a gem.
Thanks Eliza. Your article is very useful.
None of above worked for me and I wanted to have it disabled on specified controllers, here is how I modified it to get working: <?php if (!defined('BASEPATH')) { exit('No direct script access allowed'); } /** * Created by PhpStorm. * User: Sarfraz * Date: 5/27/14 * Time: 4:08 PM */ class MY_Security extends CI_Security { function __construct() { parent::__construct(); } protected function _remove_evil_attributes($str, $is_image) { // disable xss on these controllers $allowedUris = array('createpage', 'editpage'); // All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns $foundMatchingUrl = false; foreach ($allowedUris as $allowedUri) { if (false !== stripos($_SERVER['REQUEST_URI'],… Read more »
Wow..you save my day..
I was looking around to find this solution since I use TinyMCE for the first time..
Thank you so much..
morph,
you need to check if the $_SERVER['REQUEST_URI'] matches the element from your array. If its not working it's probably because the condition is not met. Maybe because of slash or something. echo $_SERVER['REQUEST_URI'] and check if it;s equal to what you put in your array
Hi, I'm using CI 2.1.3 and CkEdit, I downloaded this core extension and still XSS filter kills my style attribute? Any ideas?
thanks… a lot… :D
ganesh, can you tell me what exactly did you do and how you implement this?
Thanks for your information. After adding the class, I’m still having problem. Style tag was removed from span tag.
Thank you so much! This has been frustrating me for 2 days!!! You are the best!!
Hi Bart! Glad I could help.
And you are absolutely right by putting it in extended class. Then, it’s not so ugly workaround ;o)
I was so happy that i finally found a reason, that i forgot about MY_.
It should definatly be in extended class. Thank you, for pointing this out :o)
Hi there, Thx, this was what I was looking for. I’ve extended the core class so I don’t have to mess with the system source;) Just create a file called MY_Security.php in the application core folder and put this code in it: <?php if ( ! defined(‘BASEPATH’)) exit(‘No direct script access allowed’); /** * * Extend Security controller * */ class MY_Security extends CI_Security { function __construct() { parent::__construct(); } protected function _remove_evil_attributes($str, $is_image) { // All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns $evil_attributes = array(‘on\w*’, ‘xmlns’); if ($is_image === TRUE) { /* * Adobe Photoshop… Read more »