如何防止TinyMCE将CDATA添加到<script>标签和注释<style>标签？

Question

Let's put aside the issues of allowing <script> content inside a Web editor; I'm perfectly aware of them.

What I want is to allow <style> and <script> elements inside the text content, the issue is that, whenever I do this, TinyMCE changes them to:

<style><!-- th{width:80px} --></style>

and the script content is changed to:

<script>// <![CDATA[
$.address.unbind();
// ]]></script>

On my TinyMCE init configuration, I have:

valid_elements : "*[*]",
extended_valid_elements : "*[*],script[charset|defer|language|src|type],style",
custom_elements: "*[*],script[charset|defer|language|src|type],style",
valid_children : "+body[style],+body[script]",
verify_html : false,
media_strict: false

But I can't seem to find a way to prevent TinyMCE from disabling the <style> and <script> elements.

Answer 1

I would recommend avoiding any direct customization to third party libraries if it can be avoided. Instead I added a custom node filter to the editors serializer during initialization by adding the following to the config object passed into the tinymce construction call:

init_instance_callback : function(editor) {
    // jw: this code is heavily borrowed from tinymce.jquery.js:12231 but modified so that it will
    //     just remove the escaping and not add it back.
    editor.serializer.addNodeFilter('script,style', function(nodes, name) {
        var i = nodes.length, node, value, type;

        function trim(value) {
            /*jshint maxlen:255 */
            /*eslint max-len:0 */
            return value.replace(/(<!--\[CDATA\[|\]\]-->)/g, '\n')
                    .replace(/^[\r\n]*|[\r\n]*$/g, '')
                    .replace(/^\s*((<!--)?(\s*\/\/)?\s*<!\[CDATA\[|(<!--\s*)?\/\*\s*<!\[CDATA\[\s*\*\/|(\/\/)?\s*<!--|\/\*\s*<!--\s*\*\/)\s*[\r\n]*/gi, '')
                    .replace(/\s*(\/\*\s*\]\]>\s*\*\/(-->)?|\s*\/\/\s*\]\]>(-->)?|\/\/\s*(-->)?|\]\]>|\/\*\s*-->\s*\*\/|\s*-->\s*)\s*$/g, '');
        }
        while (i--) {
            node = nodes[i];
            value = node.firstChild ? node.firstChild.value : '';

            if (value.length > 0) {
                node.firstChild.value = trim(value);
            }
        }
    });
}

Hopefully this will help others stuck in the same boat.

Answer 2

You can try altering the tinymce.min.js

,f.addNodeFilter("script,style",function(e,t){function n(e){return e.replace(/(<!--\[CDATA\[|\]\]-->)/g,"\n").replace(/^[\r\n]*|[\r\n]*$/g,"").replace(/^\s*((<!--)?(\s*\/\/)?\s*<!\[CDATA\[|(<!--\s*)?\/\*\s*<!\[CDATA\[\s*\*\/|(\/\/)?\s*<!--|\/\*\s*<!--\s*\*\/)\s*[\r\n]*/gi,"").replace(/\s*(\/\*\s*\]\]>\s*\*\/(-->)?|\s*\/\/\s*\]\]>(-->)?|\/\/\s*(-->)?|\]\]>|\/\*\s*-->\s*\*\/|\s*-->\s*)\s*$/g,"")}for(var r=e.length,i,o,a;r--;)i=e[r],o=i.firstChild?i.firstChild.value:"","script"===t?(a=i.attr("type"),a&&i.attr("type","mce-no/type"==a?null:a.replace(/^mce\-/,"")),o.length>0&&(i.firstChild.value="// <![CDATA[\n"+n(o)+"\n// ]]>")):o.length>0&&(i.firstChild.value="<!--\n"+n(o)+"\n-->")}),f.addNodeFilter("#comment",function(e){for(var t=e.length,n;t--;)n=e[t],0===n.value.indexOf("[CDATA[")?(n.name="#cdata",n.type=4,n.value=n.value.replace(/^\[CDATA\[|\]\]$/g,"")):0===n.value.indexOf("mce:protected ")&&(n.name="#text",n.type=3,n.raw=!0,n.value=unescape(n.value).substr(14))})

Please, find and remove the above line of code from the file.

Answer 3

when you store tinymce content, simply remove these tags from output similar like this:

$tinyOutput = str_replace(array("// <![CDATA[", "// ]]>"), array("", ""), $_POST['tinyOutput']);

..then save to db..

Answer 4

For me it worked to remove the following code for disabling script tag formating:

,o.length>0&&(i.firstChild.value="// <![CDATA[\n"+n(o)+"\n// ]]>")

And for formating on style tag, you should remove:

&&(i.firstChild.value="<!--\n"+n(o)+"\n-->")

Answer 5

You can try using < in place of < for the style and script tags. That way tinymce will not recognize style and script tags.

For example:

For style:

<style>th{width:80px}</style>

For script:

<script>
$.address.unbind();
</script>