Sanitize hidden characters from CKEditor

[iipa]

I have a CKEditor Textarea in a page template. Some users like to add text in them by pasting from Word document. This leads to internal server error when saving page. When using paste without formatting (cmd + shift + V), page is saved normally, so I assume error has something to do with Word's hidden characters that cause issues in many other programs as well. (I don't have Word myself, so I debugged this with video chat with user. I forgot to ask to check code view, so I'm not sure if they are visible there.)

Is there a way in ProcessWire/PHP to sanitize Textarea input from these hidden characters, or can I prevent this by changing editor settings (listed below, if it helps)? I don't like leaving error handling rely to user action - somebody always forgets to do things specific way and it weakens user experience.

Textarea
	formatting: none (htmlspecialchars off)
	field type: CKEditor
	content type: markup/html
	experimental markup/html settings: all on
	acf: on
	html purifier: on
	additional purify settings: all on
	extra allowed content: none
	add-ons: pwimage, pwlink, sourcedialog
	sourcedialog settings: none
	disabled add-ons: image, magicline

 

[eydun]

Hi iipa

Does the user use the "Paste from Word"-button?

 

[horst]

Hi @iipa, here are some useful links:

I use the hook from Ryan since a few weeks and it works really good:

Maybe one can this adapt to match more than inline styles. (?)

 

[ryan]

@iipa Pasting stuff from Word should be no problem ... I think most of our clients likely do this. So you definitely shouldn't get an internal server error from PW at least. Though you might try setting $config->debug=true; in your /site/config.php file (temporarily) and trying again, just in case — that will make it produce a verbose error message. But it's more likely that it is coming from mod_security or some other Apache or PHP module on the server that is monitoring input and halting the request when it comes across something it doesn't like. I don't blame it, as MS word can produce some pretty sketchy looking markup. But between CKEditor and htmlpurifier, PW should be able to clean it up just fine once the server lets it through. But if it's an Apache/PHP module doing this (which seems likely) then nothing you adjust in PW can fix it since the module examines the request before PW even boots, so you'd instead have to disable or configure the Apache module (mod_security, suhosin, or whatever it might be). 

[iipa]

On 8/17/2019 at 3:16 PM, eydun said:

Hi iipa

Does the user use the "Paste from Word"-button?

 

Oon some browser+OS combos that button does not work, unfortunately.

6 hours ago, ryan said:

@iipa Pasting stuff from Word should be no problem ... I think most of our clients likely do this. So you definitely shouldn't get an internal server error from PW at least. Though you might try setting $config->debug=true; in your /site/config.php file (temporarily) and trying again, just in case — that will make it produce a verbose error message. But it's more likely that it is coming from mod_security or some other Apache or PHP module on the server that is monitoring input and halting the request when it comes across something it doesn't like. I don't blame it, as MS word can produce some pretty sketchy looking markup. But between CKEditor and htmlpurifier, PW should be able to clean it up just fine once the server lets it through. But if it's an Apache/PHP module doing this (which seems likely) then nothing you adjust in PW can fix it since the module examines the request before PW even boots, so you'd instead have to disable or configure the Apache module (mod_security, suhosin, or whatever it might be). 

I actually have debug on, since we haven't launched yet, but I'm also starting to lean into problem being in server side configurations.

On 8/17/2019 at 7:39 PM, horst said:

I use the hook from Ryan since a few weeks and it works really good

Maybe one can this adapt to match more than inline styles. (?)

I managed to accomplish this in CKEditor's config.js by adding

config.disallowedContent = '*{*}';

which does it automatically when pasting. It was also enough to keep server happy aswell!