You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Saving an HTMLEditorField always uses the 'active' HTMLEditorConfig rather than the config defined on the field when sanitising the content for saving into the database.
I would have expected the field to sanitise its content using the config set on the field.
It means it is not possible to have mor than one kind of server side validation. This probably goes un-noticed as the client will prevent adding invalid content in the JS and the default valid elements is fairly permissive. However, it is possibly to bypass the client restrictions (eg with the source button)
if you uncomment HTMLEditorConfig::set_active_identifier('table'); then the test will pass.
Setting the active identifier works unless you have multiple different configurations within the same form - as there can only be one active config at time.
Save into could instead use the config attached to the field and fall back to the active one?
The text was updated successfully, but these errors were encountered:
blueo
changed the title
HTMLEditorField doesn't use configured config for sanitisation
HTMLEditorField doesn't use field assigned configuration for sanitisation
Oct 13, 2023
Affected Version
tested on 4.12 and 5
Description
Saving an HTMLEditorField always uses the 'active' HTMLEditorConfig rather than the config defined on the field when sanitising the content for saving into the database.
I would have expected the field to sanitise its content using the config set on the field.
It means it is not possible to have mor than one kind of server side validation. This probably goes un-noticed as the client will prevent adding invalid content in the JS and the default valid elements is fairly permissive. However, it is possibly to bypass the client restrictions (eg with the source button)
Steps to Reproduce
This test will reproduce the issue:
expand code sample
if you uncomment
HTMLEditorConfig::set_active_identifier('table');
then the test will pass.Setting the active identifier works unless you have multiple different configurations within the same form - as there can only be one active config at time.
Save into could instead use the config attached to the field and fall back to the active one?
PRs
The text was updated successfully, but these errors were encountered: