FCKeditor - filters - fonts

Woke up this morning to find the home page - http://ls.net/ in a bad way. The cause was apparent, a user had posted an event which contained HTML code that broke the rest of the page.

Following the path of least resistance, I had set the default format to full HTML. PHP should only be enabled for people you can reach with a baseball bat. We have adopted several PHP restrictions to improve security but the power of PHP in malicious or casual hands is a loose cannon.

But full HTML can be bad HTML, bad in the sense it blows up content that follows it on the page. It was time to extend the scope of the filter and turn it on. I expect to return here but the current settings for input format are:

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <embed> <object> <strike> <caption>
  • Lines and paragraphs break automatically.
  • Images can be added to this post.

After reloading the page (Ctrl+F5), the post no longer broke the rest of the page but the tonts were plain - no color and default face.

Following advice from http://drupal.fckeditor.net/filters:

lsnet@helen:~/public_html/ls.net/sites/all/modules/fckeditor$ diff fckeditor.config.js.org fckeditor.config.js
> FCKConfig.CoreStyles['FontFace'] = 
> { 
> 	Element		: 'font', 
> 	Attributes : { 'face' : '#("Font")' }
> };
> FCKConfig.CoreStyles['Size'] = 
> { 
> 	Element		: 'font', 
> 	Attributes : { 'size' : '#("Size","fontSize")' }
> };
> FCKConfig.CoreStyles['Color'] = 
> { 
> 	Element		: 'font', 
> 	Attributes : { 'color' : '#("Color","color")' }
> };
> FCKConfig.FontSizes	= '1/xx-small;2/x-small;3/small;4/medium;5/large;6/x-large;7/xx-large' ;

Now we can change the face - Comic Sans the color the background and the size.

And change it back again.

Websites like ours benefit enormously from user contributed content. We have to make the playground safe.