Problem/Motivation
CKEditor 5 seem to have an automatic email address detection which converts hello@example.com to mailto: links. This is a documented CKEditor feature at https://ckeditor.com/docs/ckeditor5/latest/features/link.html#adding-def...
When CKEditor 5 is used together with SpamSpan, I see following behavior:
1. HTML Source of the textarea content based on what CKEditor did automatically on the fly for me:
<p>
This is text which includes an email address <a href="mailto:hello@example.com">hello@example.com</a>
</p>
Important part here is that CKEditor created the mailto: hyperlink automatically for me when I wrote this text, I didn't create it manually.
2. Expected result I was hoping to see in the final HTML output after Drupal has rendered the page:
<p>This is text which includes an email address <span class="spamspan"><span class="u">hello</span> [a t] <span class="d">example<span class="o"> [d o t] </span>com</span></span>
3. Actual result what I'm seeing from the input of step 1 above:
<p>This is text which includes an email address <span class="spamspan"><span class="u">hello</span> [a t] <span class="d">example<span class="o"> [d o t] </span>com</span><span class="t"> (hello[at]example[dot]com)</span></span>
Note that there is this thing in parenthesis which is almost cleartext: (hello[at]example[dot]com)
I tried to configure the different permutations of Text formats and editors and it looks to me that this (hello[at]example[dot]com) is produced by SpamSpan module, because if I disable SpamSpan filtering from this text format, I see this in the final HTML output:
<p>This is text which includes an email address <a href="mailto:hello@example.com">hello@example.com</a>
Steps to reproduce
See above. Drupal core 10.1.2 and SpamSpan 3.1.6.
Proposed resolution
It's a pity that CKEditor configurations (in Drupal admin UI) don't seem to have a configuration option that would prevent CKEditor from creating mailto: links on the fly when the user is editing the content.
However, SpamSpan seem to have logic already now that detects that the user input contains mailto: links and when this is detected, SpamSpan obfuscates the email address.
Having said this, I propose that we remove the (hello[at]example[dot]com) part of the final HTML content.
I believe the most elegant way to do this is as follows:
1. Check if the user input contains mailto: links. If yes, remove the hyperlink so that the email address remain as plain text only.
2. After this, obfuscate the address like SpamSpan normally does.
Remaining tasks
Investigate if it's really SpamSpan that produces the (hello[at]example[dot]com) part to the final HTML output.
If confirmed that it's coming from SpamSpan, fix this.
User interface changes
N/A
API changes
N/A
Data model changes
N/A