[consulting] Wysiwyg Frustrations: My Approach, What is Yours

Shai Gluskin shai at content2zero.com
Sun Jul 3 16:28:05 UTC 2011 

Folks,

Why this post to this list? I have plenty of issues and help requests out in
various places... I thought this list would be the best place to share my
overall process and problems and hopefully hear yours.

I use the Wysiwyg Api module <http://drupal.org/project/wysiwyg> because it
is the most "Drupally" and seems to make the most sense in the long run. It
already has wide acceptance being installed on 130K sites.

My clients require a full featured WYSIWYG like CKeditor or TinyMCE.

The easiest set up is simply to assign a wysiwyg profile and use Drupal's
"Full HTML" "Input format" (D6)/"Text format" (D7).

That approach is *unacceptable* for the following reasons:


   1. It's not secure
   2. Content creators/editors can easily destroy the site design

Using Drupal core's "HTML Filter" is equally unacceptable because it *doesn't
allow html attributes to be added*, which is necessary for the chosen
wysiwyg to deliver functionality.

The solution is to use one of the following three modules:

   1. wysiwyg_filter <http://drupal.org/project/wysiwyg_filter> (D7 version
   currently at http://drupal.org/sandbox/axel.rutz/1105784 until module
   takeover process is completed)
   2. htmlpurifier <http://drupal.org/project/htmlpurifier>
   3. htmLawed <http://drupal.org/project/htmLawed>

I'm using wysiwyg_filter. It's D6 version is stable and good. However the
maintainer disappeared. @axel.rutz has done great work on D7; he has filed
an issue to take over the project <http://drupal.org/node/1105850>. I'm
assuming that will be successful.

*Teaser break plug-in broken in wysiwyg module*.

This issue has been open since, July, 2009 <http://drupal.org/node/510552>,
kind of scary. I somewhat overstated the issue in my bolding above, which is
why, possibly, this issue hasn't been solved yet, in addition to the
significant technical challenges. What happens with the teaser break plug-in
turned on is that self-closing tags like <br> and <img> are closed like ">"
and not the XHTML way, "/>". For folks not using wysiwyg_filter,
htmlpurifier or htmLawed, the upshot is code that doesn't validate for
XHTML, not a huge deal (depending on your personality [?]). However, for
anyone using one of those html filter modules, any improperly closed
self-closing tag gets stripped away, making a fix absolutely imperative.
There is a working patch at: http://drupal.org/node/510552#comment-3879096.
Note that patch only solves the problem for the latest version of CKeditor
and not TinyMCE. The maintainers of wysiwyg have not committed the patch
because they are trying to address the problem in a better way. But in the
meantime, new Drupal users who may have a hard time finding that patch are
going to be quite frustrated.

To sum up so far:


   1. If you care about security and/or site design, an html filter is key.
   It can't be the one that comes with Drupal.
   2. I have found the patch to fix the teaser break problem in wysiwyg and
   I've switched from TinyMCE to CKeditor because the patch works with the
   latter only.

*However: getting the Wysiwyg to actually be: "what you see is what you get"
(or anything close to it), I have found impossible.*
*
*
Because Drupal's "input filters" are actually "output" filters  the end user
will see in the editor formatting that will be stripped by the html filter
when the page is rendered. This is a huge usability issue. Careful selection
of "buttons and plug-ins" in the editor configuration as well as current
"Paste to Word" plug-ins for CKEditor and TinyMCE go a bit of the way in
addressing these issues. But there are still many ways in which code that
will be filtered can get into your editing box and display formatting to the
user that will be filtered when the page is displayed.

*I've looked for a CKEditor plug-in that would essentially do what
wysiwyg_filter does on the output for the editor on the input. I have not
found one. Have you?*

*My guess is that most of the 130K users of the wysiwyg module get
frustrated and simply take their chances with "Full HTML" and try to solve
both security and site design problems via educating the client (re site
design) and good site monitoring and backup (to, sort of, address security
issues).*

Am I missing something?

I really want to hear from you on what you do.

Thanks,

Shai
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/consulting/attachments/20110703/2831f351/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 96 bytes
Desc: not available
Url : http://lists.drupal.org/pipermail/consulting/attachments/20110703/2831f351/attachment.gif

More information about the consulting mailing list