|
|
|
@ -980,6 +980,36 @@ define([
|
|
|
|
|
Ckeditor.plugins.addExternal('blockbase64', '/pad/', 'disable-base64.js');
|
|
|
|
|
Ckeditor.plugins.addExternal('comments', '/pad/', 'comment.js');
|
|
|
|
|
Ckeditor.plugins.addExternal('wordcount', '/pad/wordcount/', 'plugin.js');
|
|
|
|
|
|
|
|
|
|
/* CKEditor4 is, by default, incompatible with strong CSP settings due to the
|
|
|
|
|
way it loads a variety of resources and event handlers by injecting HTML
|
|
|
|
|
via the innerHTML API.
|
|
|
|
|
|
|
|
|
|
In most cases those handlers just call a function with an id, so there's no
|
|
|
|
|
strong case for why it should be done this way except that lots of code depends
|
|
|
|
|
on this behaviour. These handlers all stop working when we enable our default CSP,
|
|
|
|
|
but fortunately the code is simple enough that we can use regex to grab the id
|
|
|
|
|
from the inline code and call the relevant function directly, preserving the
|
|
|
|
|
intended behaviour while preventing malicious code injection.
|
|
|
|
|
|
|
|
|
|
Unfortunately, as long as the original code is still present the console
|
|
|
|
|
fills up with CSP warnings saying that inline scripts were blocked.
|
|
|
|
|
The code below overrides CKEditor's default `setHtml` method to include
|
|
|
|
|
a string.replace call which will rewrite various inline event handlers from
|
|
|
|
|
onevent to oonevent.. rendering them invalid as scripts and preventing
|
|
|
|
|
some needless noise from showing up in the console.
|
|
|
|
|
|
|
|
|
|
YAY!
|
|
|
|
|
*/
|
|
|
|
|
CKEDITOR.dom.element.prototype.setHtml = function(a){
|
|
|
|
|
if (/callFunction/.test(a)) {
|
|
|
|
|
a = a.replace(/on(mousedown|blur|keydown|focus|click|dragstart)/g, function (value) {
|
|
|
|
|
return 'o' + value;
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
return this.$.innerHTML=a;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
module.ckeditor = editor = Ckeditor.replace('editor1', {
|
|
|
|
|
customConfig: '/customize/ckeditor-config.js',
|
|
|
|
|
});
|
|
|
|
|