Do you have some feature in mind that you'd love to see in Couch? Let us know.
13 posts Page 1 of 2
it would be great if there was support for html5 tags.

ckeditor has support port for this, but it seems that there is a html purifier on the richtext and textarea fileds which is encoding the tags.

please, please please do something about this.
Hi and welcome.
Sorry about the slight delay in reply but it is holidays time :)

Replying to your query:
you are right - CKEditor now supports HTML5 tags. However Couch, as a security measure, has an internal 'whitelist' of tags that are allowable (rest get encoded as a sanitizing measure) and, for now, this list consists of only selected HTML4 tags.

If more users demand addition of the new tags, I'll certainly be willing to expand the list.
Could you please post in the exact list of the tags that you think would be useful?

For now you could perhaps use the shortcodes feature to allow input of new tags (the documentation at ... codes.html contains an example of creating BBCodes. Maybe that would help).

The major browsers already support a majority of the new HTML5 tags, so I think it would be a good idea for Couch to as well.

By the way CKEditor v4 JavaScript API is backwards compatible with v3. I tested it myself in Couch and all features work just fine. I'm sure people would appreciate the upgrade for the new skin alone besides all the other improvements.

The 'whitelist' of supported HTML4 tags in Couch is:
'img', 'div', 'span', 'a', 'p', 'blockquote', 'code', 'address', 'cite',
'ul', 'ol', 'li', 'dd', 'dl', 'dt',
'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
'table', 'caption', 'col', 'colgroup', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr',
'br', 'hr', 'pre', 'b', 'u', 'i', 'strong', 'big', 'small', 'em', 'sub', 'sup',
'center', 'font', 'strike', 'del', 'abbr', 'dfn', 'samp'

As you can see, all the tags are purely 'structural' in function.
Tags like 'embed', 'script' etc. have been omitted because of their vulnerable nature that could expose them to XSS exploits.

The very concept of using a whitelist is to allow innocuous tags only.
When I see the list of new tags you pointed to, there are several that don't seem to fit the bill.
I think I'll have to study further how security experts are rating them.
Any help in singling out the 'structural' tags only is welcome.
These appear to be safe :)
'article', 'aside', 'bdi', 'figcaption', 'figure', 'footer', 'header', 'hgroup', 'mark', 'nav', 'progress', 'rp', 'rt', 'ruby', 'section', 'time', 'wbr'
Thanks :)
@kk: it's nice to know that you're thinking about security, but it would be nice if you could give the developers the option to toggle the protection off or on.

i noticed you did this for the textarea element type: no_xss_check='1'. this would be great as well for the "richtext" element type.

when do you think you will have the patch ready?
i'm asking because my client (who has a licensed version) inquired about this. hmmm, i hope it's not going to be a long wait. i would dread having to change all my markup because of this.

btw: i'm using 1.3-RC1

@cheesypoof: how did you integrate the 4.0 version of ckeditor? it would be great if you could provide some detailed steps. i tried to integrate v4, but it didn't show up in the admin area.
1. Create a backup of your 'includes/ckeditor' folder. Name this backup folder 'ckeditor3'.
2. Delete all of the folders in your 'ckeditor' folder.
3. Download the "Full" version of CKEditor 4.
4. Extract the new files and folders into your 'includes/ckeditor' folder. Overwrite any old files.
5. Rename 'ckeditor_v363b.php' to 'ckeditor_v40.php'.
6. Copy the contents of 'ckeditor.js' to 'ckeditor_v40.php', making sure to replace all of the code below the PHP statement. Add this command to the end of the file on a new line: "CKEDITOR.disableAutoInline = true;" Save the file.
7. Open 'ckeditor_php4.php' and 'ckeditor_php5.php'. Search for 'ckeditor_v363b.php' and replace it with 'ckeditor_v40.php'. Search for '3.6.3' and replace it with '4.0'. Search for 'C3HA5RM' (two times) and replace it with 'CAPD'. Save the files.
8. Clear your browser cache.
9. (Optional) Delete 'samples' folder, 'build-config.js', and 'ckeditor.js'.

This worked for me. Hopefully if I have missed something KK will reply with a correction.

End result available for download at

That is precisely how it is to be done.
Just like to add that it is important to save the ckeditor_v40.php file as 'UTF without BOM'.
I've seen several browsers balk with 'Headers already sent' (resulting in the editor disappearing) if this point is missed.

BTW, if it is not too much of a hassle, why don't you upload the final 'includes/ckeditor' in the Product updates sub-forum? It will be so much easier for others to just replace the existing folder with the new one.


EDIT: The directly replaceable CKEDitor folder uploaded by @cheesypoof can be found here:
Thank you cheesypoof.

With ... rview.html as reference, I was wondering if the following tags could also be included? :

Your thoughts?
13 posts Page 1 of 2

Who is online

In total there is 1 user online :: 0 registered, 0 hidden and 1 guest
(based on users active over the past 5 minutes)

Users browsing this forum: No registered users and 1 guest