[horde] IMP: HTML editor - paste from word / Office /webpage doesn't work

Michael M Slusarz slusarz at horde.org
Mon Jun 24 19:44:12 UTC 2013 

Quoting Frank Richter <frank.richter at hrz.tu-chemnitz.de>:

> Quoting Michael M Slusarz:
>>
>>> The problem here: As it worked in IMP4, our users complain ...
>>
>> And the problem here is that IMP 4 had GIANT holes that people  
>> could use to completely ignore any sort of compose message  
>> limitations.  That is much more important.
>
> I understand the security issues. So the main goal is to eliminate  
> all HTML tags when pasting formatted text, right?

Yes.  And things like javascript.  And things like embedded data URLs.

> As I understand it this is currently done in  
> imp/js/ckeditor/pasteattachment.js calling stripTags()
>         ev.data.html = ev.data.html.stripTags();
>
> So e.g.  '<p>Text 1</p><p>Text 2</p>' becomes 'Text1Text 2'
> This is ugly, as removing the whitespaces / line breaks  disturbs reading.
>
> I tried CKEditor's option forcePasteAsPlainText set to true:  
> http://docs.cksource.com/ckeditor_api/symbols/CKEDITOR.config.html#.forcePasteAsPlainText
>    'CKEDITOR.config.forcePasteAsPlainText = true;' in  
> imp/lib/Script/Package/ComposeBase.php
> (patch attached)
>
> Effect: Pasting '<p>Text 1</p><p>Text 2</p>'  becomes 'Text1<br  
> />Text 2'     -> better reading.

Agreed.  This has been added.

> Dropping of images in CKEditor still works (which is very cool indeed!).
>
> Then the 2 buttons in the toolbar - "Copy" and "Copy from Word" -  
> could be removed, as they won't work as expected.

I'm actually going to remove the Paste Plain Text instead - this makes  
it easier for an admin to change their preferences locally (switching  
between allowed and not allowed).

And I'm going to leave Copy From Word for now.  That is a different  
mechanism.  Since it is actually going through the HTML-ish content  
and sanitizing, it should be ok.  Since this is not HTML data, things  
like embedded data URLs should also be ignored.

michael

___________________________________
Michael Slusarz [slusarz at horde.org]

More information about the horde mailing list