Contrib.social

Unexpected behavior together with CKEditor 5 automatic email address detection

Open on Drupal.org →
Created on 4 August 2023, 11 months ago
Updated 14 September 2023, 10 months ago

Problem/Motivation

CKEditor 5 seem to have an automatic email address detection which converts hello@example.com to mailto: links. This is a documented CKEditor feature at https://ckeditor.com/docs/ckeditor5/latest/features/link.html#adding-def...

When CKEditor 5 is used together with SpamSpan, I see following behavior:

1. HTML Source of the textarea content based on what CKEditor did automatically on the fly for me:

<p>
This is text which includes an email address <a href="mailto:hello@example.com">hello@example.com</a> 
</p>

Important part here is that CKEditor created the mailto: hyperlink automatically for me when I wrote this text, I didn't create it manually.

2. Expected result I was hoping to see in the final HTML output after Drupal has rendered the page:

<p>This is text which includes an email address <span class="spamspan"><span class="u">hello</span> [a t] <span class="d">example<span class="o"> [d o t] </span>com</span></span>

3. Actual result what I'm seeing from the input of step 1 above:

<p>This is text which includes an email address <span class="spamspan"><span class="u">hello</span> [a t] <span class="d">example<span class="o"> [d o t] </span>com</span><span class="t"> (hello[at]example[dot]com)</span></span>

Note that there is this thing in parenthesis which is almost cleartext: (hello[at]example[dot]com)

I tried to configure the different permutations of Text formats and editors and it looks to me that this (hello[at]example[dot]com) is produced by SpamSpan module, because if I disable SpamSpan filtering from this text format, I see this in the final HTML output:

<p>This is text which includes an email address <a href="mailto:hello@example.com">hello@example.com</a>

Steps to reproduce

See above. Drupal core 10.1.2 and SpamSpan 3.1.6.

Proposed resolution

It's a pity that CKEditor configurations (in Drupal admin UI) don't seem to have a configuration option that would prevent CKEditor from creating mailto: links on the fly when the user is editing the content.

However, SpamSpan seem to have logic already now that detects that the user input contains mailto: links and when this is detected, SpamSpan obfuscates the email address.

Having said this, I propose that we remove the (hello[at]example[dot]com) part of the final HTML content.

I believe the most elegant way to do this is as follows:
1. Check if the user input contains mailto: links. If yes, remove the hyperlink so that the email address remain as plain text only.
2. After this, obfuscate the address like SpamSpan normally does.

Remaining tasks

Investigate if it's really SpamSpan that produces the (hello[at]example[dot]com) part to the final HTML output.

If confirmed that it's coming from SpamSpan, fix this.

User interface changes

N/A

API changes

N/A

Data model changes

N/A

🐛 Bug report
Status

Active

Version

3.1

Component

Code

Created by

🇫🇮Finland masipila

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @masipila
  • Comment 11 months ago
    🇫🇮Finland masipila
  • Comment 10 months ago
    🇯🇵Japan tyler36 Osaka

    Came across this issue and will add my experience.

    I'm using a Paragraph block that uses a textfield with Basic HTML CKEditor 5, that contains an email address.

    When I view the page source code, I see (with the quotes):
    "Mail: admin@example.com"

    If I enable Spamspan, the code changes to:
    "Mail:" <a href="mailto:admin@example.com" class="spamspan">admin@example.com</a>

    If I move Spamspan to the top of the Filter processing order (IE. Has the lowest weight), I get the following:
    "Mail: admin [at] example.com"

    On my site, moving Spamspan to the top only causes Spamspan to run before "Limit allowed HTML tags and correct faulty HTML"
    Regardless of it's weight, if Spamspan is enabled, the following test pass:
    $this->assert->pageTextNotContains(admin@example.com)

    Drupal: 10.1.3
    Spamspan: ^3.1

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024