Cold Hard Code

How to get YUI's Rich Text Editor to preserve script tags.

I really like YUI, and the YUI RTE.  I think that for most typical editing scenarios, it works far better than other options.  It's easily extensible, and has a great default feature set.  The one thing that was really frustrating is that it kept eating my embedded gist tags.

The gist embed tags are very simple, and look simply like this:,

<script type="text/javascript" src="http://gist.github.com/1234.js"></script>

Outside of the very real risks of allowing XSS and other dangerous things, this is useful to be able to do.  However, the RTE doesn't allow it, and if the editor slurps in a textarea with a script tag, the editor silently eats all the script tags. Nom nom nom.

The only way to enable this behavior is extending the editor class, and doing some very hacky changes. Please note that this widget interpolates script tags even when they are escaped (meaning if you type in <script> in the editor, it turns into a live script tag). This is, for the most part, behavior that I want. Leave comments if this is oppositional to your uses, and I'll figure out a better API.

You can see my trusting editor in action, allowing script tags to preserve, and the complete code, displayed here:

The “official” version I will maintain will be at http://gist.github.com/200773. If it gets to be frequent, I'll setup a project for it.

In conclusion, I'd like to talk about my personal view of this solution. I don't want this to go on my permanent record without defending myself and this code. I think this solution is bad. Relying on a non-contractual API, and an internal method of the Editor (_cleanIncomingHTML), is generally asking for trouble. I don't have faith that this behavior won't change, and as such, this change cannot be guaranteed for future versions of YUI.

I would, very much so, like to see this change go into YUI Core, as it provides an option that trusts the programmer. It won't be included because of security concerns. Requiring the above type of extending to get non-destructive behavior really scares me, though. It just reeks of codesmell, and I'm sad that there isn't an option to trust the engineer.

I will maintain the gist to make sure it works with the latest released version of YUI (currently 2.8.0). If you notice a bug, please leave a comment and I will get it fixed up. I will also submit a patch to the Movable Type plugin that allows <script> tag embedding.

jshirley

Written by Jay Shirley

Jay Shirley combines technical fundamentals with modern, practical savvy. An open source veteran with plenty of notches in his personal and professional belt, the combination of his work and his field vision (soccer metaphor!) has few rivals.

Comments