No 'Source' Button in the Editor

[Chewie]

When starting a new post or creating a reply, the source button in the editor isn't available...

Since screen-shotting the image I have now tried it with...

FireFox 40.0.3
Chrome 45.0.2454.85 (64-bit) (+Incognito mode)
Safari 8.0.8
^ All on OSX Yosemite 10.10.5

Firefox 40.0.3
Microsoft Edge
Microsoft Internet Explorer
^ All on Windows 10

Also tried through 2 different ISPs.

[leviramsey]

One possible workaround this suggests, if you're willing to take advantage of the subset of HTML, is that if you can prevent CKEditor from loading (either via disabling Javascript or via GreaseMonkey), you get a raw textarea wherein you can post HTML.  Disabling Javascript disables the quote mechanism, but a tailored GreaseMonkey script might be able to preserve quote behavior.

Alternatively, if admins/mods are normally restricted to the same subset of HTML (e.g. no blockquotes), then it would seem that all users could be given permission to post HTML.

[leviramsey]

From examination of the HTTP request headers, it's clear that CKEditor transmits HTML to the server, which is then scrubbed by the server to the known-safe subset of HTML.  The question is then whether the source button in CKEditor bypasses scrubbing.  Without inspection of the HTTP traffic, I can't answer that question (if an admin/mod wants to check...).

From documentation for IPB 3.4 with CKEditor, it seems that whether the source button is displayed for everybody is configurable independent of HTML permissions, though it defaults to Source iff HTML.  Assuming that the IPB permission governs the server-side scrubber, then this means that everyone can get the source button.

[Chewie]

^ Great investigation and explanation into the way the editor works, bravo.

Limpid: I know it's not a huge concern for you, but have you thought about allowing the HTML editor for all posters? Assuming it is a global option? The Prediction thread last week was a nightmare due to formatting issues. I was actually trying to change the format and attempting to insert tables into the post to make life easier for everyone but I had to give up as I just could not get a return working after the table insert. The WYSIWYG editor is decent, it just doesn't give you the ability to fine tune things when it goes a bit wacky.

[limpid]

I think the idea of allowing any user to post any HTML is horrifying.

When things have settled down, I'll have a look and see if I can turn it on for some users and then work out how to identify those users.

[Tegis]

Might be a good incentive to donations. That said, posting malformed html does have a tendency to break sites depending on how well designed/protected the forum-code is.

[Chewie]

I think the idea of allowing any user to post any HTML is horrifying.

When things have settled down, I'll have a look and see if I can turn it on for some users and then work out how to identify those users.

Lol, yeah fair enough. Appreciate you looking into a long term solution as opposed to just telling us 'tough luck'. Cheers.

[limpid]

Might be a good incentive to donations. That said, posting malformed html does have a tendency to break sites depending on how well designed/protected the forum-code is.

I remember in the first version of VT that if a user posted the bbcode for bold in their sig and didn't close it, the rest of the page was in bold

[leviramsey]

I think the idea of allowing any user to post any HTML is horrifying.

When things have settled down, I'll have a look and see if I can turn it on for some users and then work out how to identify those users.

I don't think anyone is talking about allowing posters to post arbitrary HTML.  Have you read my posts at all?

As it stands, every user of this site is posting HTML.  It's what CKEditor sends to the server.  It's what users who don't use CKEditor (either by disabling Javascript or via a mythical GreaseMonkey script to disable CKEditor) are sending to the server.  This is true regardless of what permissions are set.

EDIT to add: the scrubber does appear to close every tag opened.

Edited September 17, 2015 by leviramsey

[limpid]

Levi,

Did you read my post? For the kind of poster who could understand how to turn off CKeditor, I'd be happy to let them post HTML (once I can establish what is and isn't allowed). I don't have time to look into it at the moment.

[leviramsey]

Perhaps I'm being unclear. Adding the source button for every user is a simple matter of adjusting the configuration of CKEditor (depending on how much IPS has hacked on it, we're either talking about a plugin like SourceDialog or adding about 4 lines of JavaScript to VT's source). It has nothing to do with board permissions: the HTML submitted is still scrubbed.

[limpid]

Perhaps I'm being unclear. I'm too busy to look at this at the moment regardless of how many times you say it.

When I get chance I'll start by investigating why people can't just use CKeditor. Then; what am I going to get asked for support on from the majority, not what works best for the few power users. People might want to edit HTML, but they don't need to. Therefore this is parked until I get some time.

[leviramsey]

I need to edit HTML. My posts (most notably the prediction posts) look like utter shit from how the editor mangles them. On top of that, posting links takes orders of magnitude longer than before, thanks to requiring a dialog.

[limpid]

A new version of the forum is due next month (minor upgrade), but they've posted this about the editor:

https://community.invisionpower.com/blogs/entry/9739-ips-community-suite-41-editor-update/

We have made a huge upgrade to our editor in IPS Community Suite 4.1 with a focus on speed an usability. I made a video overview of the new editor to point out some of the key changes. Before viewing, here are the release notes about the editor for your reference:

[ there is a video there too ]

[Chewie]

Plain text will be a godsend for the prediction thread, looking forward to it.

[limpid]

Plain text will be a godsend for the prediction thread, looking forward to it.

All it's going to do is the same as pressing ctrl-shift-v instead of ctrl-v. ie. You can do it now.

[Chewie]

Plain text will be a godsend for the prediction thread, looking forward to it.

All it's going to do is the same as pressing ctrl-shift-v instead of ctrl-v. ie. You can do it now.

If it strips formatting after input/pasting then it will help with people (who don't follow instructions) posting in the prediction thread