andynedine wrote:I have a problem in IE7 and IE8. I have always activated paste as plain text, so anyone can get unwanted malicious links. The problem is that if I write a text with a url, it automatically detects and converts the url into a link, when it should be plain text, for example, write this: "This is a test with a link to the website of CKEditor, http://www.ckeditor.com. If I keep typing the url is active as a link."
I have no problems with Firefox. I even tried to override the value. forcePasteAsPlainText. But with IE, even in the demo, I get the link. Occurs in several ways: 1 .- Hand Writing url and pressing SPACE, detects that it is a url 2 .- CTRL + V is written as a url. 3 .- button "Paste as Plain Text" writes plain, but pressing SPACE makes URL
These cases are in IE, both the demo and in my project.
Yes, that's the IE behavior. If you don't want it you'll have to write some smart code to detect when IE opts to create such links or upgrade to IE 9 where they have added an option to disable it.
Maybe something so simple as using a keyboard listener that checks after a few milliseconds if now the caret is after a link might work. I don't know, you'll have to test, try, ... I'm not sure if you could use some kind of DOM mutation events, but they are generally too expensive (= slow page).
It would be cool if you find a nice solution, because it's not that hard to create a little bit of nasty code that performs the job (for example checking the number of links before and after each keystroke) but that slows the page to a crawl.
As a temporary workaround (until someone find a better solution) you can include a note that all links will be saved as plain text and then strip all <a> tags on the server side.
This way you'll be also guarded against some other hacks that can be performed on the client side in order to include links.
Unfortunately IE <= 8 doesn't implement DOM mutation events.
Below I propose an idea which can be further developed and improved (e.g. in order to increase performance we could probably operate directly on DOM nodes, bypassing CKEditor's classes)
function eraseLinks()
{
// check if editor's content was actually changed
if (eraseLinks.data != editor.getSnapshot())
{
eraseLinks.data = editor.getSnapshot();
// get all A elements
var elements = editor.document.getElementsByTag("A");
// for each A element
for (var i=0; i<elements.count(); i++)
{
var item = elements.getItem(i);
var parent = item.getParent();
var previous = item.getPrevious();
var next = item.getNext();
var children = item.getChildren();
// for each child
for (var j=0; j<children.count(); j++)
{
var child = children.getItem(0);
if (previous)
{
child.insertAfter(previous);
previous = child;
}
else if (next)
child.insertBefore(next);
else
child.appendTo(parent);
}
}
}
}
setInterval(eraseLinks, 500);
The eraseLinks() function should be also invoked just before submitting a form.
Re: Plain text and not detect url
Re: Plain text and not detect url
Re: Plain text and not detect url
Re: Plain text and not detect url
Re: Plain text and not detect url
demo
Re: Plain text and not detect url
But with IE, even in the demo, I get the link. Occurs in several ways:
1 .- Hand Writing url and pressing SPACE, detects that it is a url
2 .- CTRL + V is written as a url.
3 .- button "Paste as Plain Text" writes plain, but pressing SPACE makes URL
These cases are in IE, both the demo and in my project.
Re: Plain text and not detect url
Re: Plain text and not detect url
Re: Plain text and not detect url
Maybe something so simple as using a keyboard listener that checks after a few milliseconds if now the caret is after a link might work. I don't know, you'll have to test, try, ... I'm not sure if you could use some kind of DOM mutation events, but they are generally too expensive (= slow page).
It would be cool if you find a nice solution, because it's not that hard to create a little bit of nasty code that performs the job (for example checking the number of links before and after each keystroke) but that slows the page to a crawl.
Re: Plain text and not detect url
As a temporary workaround (until someone find a better solution) you can include a note that all links will be saved as plain text and then strip all <a> tags on the server side.
This way you'll be also guarded against some other hacks that can be performed on the client side in order to include links.
Re: Plain text and not detect url
Below I propose an idea which can be further developed and improved (e.g. in order to increase performance we could probably operate directly on DOM nodes, bypassing CKEditor's classes)
function eraseLinks() { // check if editor's content was actually changed if (eraseLinks.data != editor.getSnapshot()) { eraseLinks.data = editor.getSnapshot(); // get all A elements var elements = editor.document.getElementsByTag("A"); // for each A element for (var i=0; i<elements.count(); i++) { var item = elements.getItem(i); var parent = item.getParent(); var previous = item.getPrevious(); var next = item.getNext(); var children = item.getChildren(); // for each child for (var j=0; j<children.count(); j++) { var child = children.getItem(0); if (previous) { child.insertAfter(previous); previous = child; } else if (next) child.insertBefore(next); else child.appendTo(parent); } } } } setInterval(eraseLinks, 500);The eraseLinks() function should be also invoked just before submitting a form.
Re: Plain text and not detect url
Re: Plain text and not detect url
Re: Plain text and not detect url
Re: Plain text and not detect url