I am trying to add a link back to Typescript's website (the URL is https://www.typescriptlang.org).
When I add the link inside a 'richtext' or 'nicedit' editable type, it somehow gets sanitized by the CMS and it always renders as https://www.typesxxxcriptlang.org/

Any ideas?

[KK]

Yes, the tern 'script' used within the 'href' parameter of link freaks Couch out and it sanitizes it (by adding the 'xxx') fearing potential XSS issues.
Call it paranoid behaviour but one cannot be too careful when it comes to security.

As mentioned in several threads, there are only two alternatives to circumvent this sanitization -
1. Use type 'textarea' with 'no_xss_check' parameter set to '1'. This will completely turn off all sanitization and your input will be stored exactly as provided. This is ideal for storing code e.g. adsense etc..

2. For richtext editable regions, the only way around is to use a shortcode.(http://docs.couchcms.com/miscellaneous/shortcodes.html). One quick-n-dirty all purpose shortcode I usually recommend is here - viewtopic.php?f=8&t=7950
Unfortunately, for your particular case, the mentioned shortcode will not do as Couch will still add the 'xxx' to its output.

So, I have devised a little shortcode for you to help specifically with this issue.
As with all shortcodes. it is a two-step process. I'll explain both below -

Step 1
Please add the following to your 'couch/addons/kfunctions.php' file (you might have to rename 'kfunctions.example.php' to 'kfunctions.php' if the file is not found at the location) -

Code: Select all

$FUNCS->register_shortcode( 'link', 'link_handler' );
function link_handler( $params, $content=null ){
    global $FUNCS;

    $content = trim( $content );
    if( $content=='' ) return;

    $pattern = '/\(([^\)]*)\)$/'; // contents enclosed between last set of paranthesis
    $res = preg_match( $pattern, $content, $matches, PREG_OFFSET_CAPTURE );
    if( $res ){ // has link text in paranthesis ..
        $text = $matches[1][0];
        $pos = $matches[0][1];
        $link = trim( substr($content, 0, $pos) );
    }
    else{
        $link = $text = $content;
    }

    return '<a href="'.$link.'">'.$text.'</a>';
}

Step 2
Assuming your richtext editable region is named 'my_text', you would have placed something like this in your frontend template to display its value -

Code: Select all

<cms:show my_text />

Modify the line above to enclose it within <cms:do_shortcodes> tag as follows -

Code: Select all

<cms:do_shortcodes><cms:show my_text /></cms:do_shortcodes>

And that is it.
Now in the admin-panel, while inputting contents within your richtext editable region, if you input something like this -

Code: Select all

[link]https://www.typescriptlang.org/[/link]

- you'll see that on the frontend, the shortcode gets expands to

Code: Select all

<a href="https://www.typescriptlang.org/">https://www.typescriptlang.org/</a>

To output some other text as the anchored contents, you may do the following -

Code: Select all

[link]https://www.typescriptlang.org/ (TypeScript Site) [/link]

As you can see, we have specified the text to use by enclosing it within parenthesis.
The HTML outputted now becomes -

Code: Select all

<a href="https://www.typescriptlang.org/">TypeScript Site</a> 

That should solve your problem.
I am sorry, it requires this kind of workaround but I hope it helps somewhat in alleviating the trouble.

one cannot be too careful when it comes to security

I couldn't agree more! The XSS attack actually crossed my mind. It's very reassuring to see this level of security from your side

Thanks for the quick tutorial, I will definitely add the shortcode you provided, I'm sure it will come in handy.