[nbsp] auto-inputed?

**mechaflash** · 12/01/2010, 20:25

Every so often when I create/edit any type of text element (articles, news, etc.), Contao will automatically input a [nbsp] into random spots of my text. Sometimes up to 10+ of them. And it's not even [&nbsp] so its just inputting it as plain text [nbsp]. This occurs just editing text without going into html... using the default text settings. Any ideas on why this happens?

~Mecha

**thyon** · 12/02/2010, 18:24

Normally when you paste text into TinyMCE, it inserts smart spaces e.g. [nbsp] which is the TinyMCE (and Contao) version of the correct HTML code namely . You can remove them if you like using a search replace, or you can just leave them. Normally they are harmless as they are just spaces that prevent breaking from occurring over them.

Contao converts any [nbsp] to automatically for you.

**mechaflash** · 12/02/2010, 21:40

ahhhh i see. the thing i find weird is that it doesn't place it into every space, only random ones, and sometimes they reappear later on even though I haven't done anything with the content =/. It's creepy -_-

**Vera** · 12/03/2010, 08:31

The reason it isn't being placed at every space is obvious when you consider what a non-breaking-space (nbsp) does. You'd be asking to have the entire text one one line, never breaking it onto the next where it would normally choose the most conveniently space to do so...

I'm still not sure what rules tinyMCE follows to insert the [nbsp], but I imagine it is everywhere there are two or more spaces next to eachother. Standard browser behaviour is to compact multiple white spaces into a single one. The exception to this rule is when nbsps are used. (or the char code 160)

**Rob65** · 12/07/2010, 19:59

Vera is right.

Whenever you have two spaces, tinyMCE replaces this with [nbsp] plus a regular space.
And whenever you enter two returns in a row you are asking for one empty paragraph followed by another paragraph (possibly with text) and it places the [nbsp] in the first paragraph resulting in the following view in tinyMCE:

Code:

Two spaces[nbsp] in a row

[nbsp]

An empty paragraph above.

**mechaflash** · 12/09/2010, 21:23

even if i disable tinymce css?

**Ola** · 12/10/2010, 10:30

To remove the [nbsp] you can edit tinyCustom.php. Edit this line into this:

Code:

entities : "60,lt,62,gt,173,shy",

For more information about tinyCustom.php and customizing TinyMCE, please read "How to customize the Rich Text Editor" in the developer's guide.

**Ola** · 12/10/2010, 10:36

Hmm, I found this forum post by Leo about the [nbsp]. He says that it is a Contao specific feature. Not used in the original TinyMCE.

He also says that is has to be there to "escape the XSS class". Does he mean Cross-site Scripting? Does it in that case mean that the [nbsp] has to be there for security reasons?

**thyon** · 12/15/2010, 16:57

Yep XSS is an attack method making the CMS vulnerable. This provide a slick way to remove the necessity to htmlencode double. I think its an elegant solution to make non-printable characters visible with this "string"

**Ola** · 12/15/2010, 21:05

I don't know the details how XSS works, but can anyone explain in a simple way how a would be used in a XSS attack? I don't see how that would be possible.

**Ruud** · 12/15/2010, 21:12

Originally Posted by Ola

I don't know the details how XSS works, but can anyone explain in a simple way how a would be used in a XSS attack? I don't see how that would be possible.

I think that single quotes are the problem as they may end a string when evaluated. That could then relate to the because they can both be inputted as html entities. If you deny the use of these entities you cannot put in a single quote or whatever else is damaging, but also the can't be used.

Or at least I imagine that is the reason. There may be more to it...

**mechaflash** · 12/16/2010, 20:48

I'm pretty curious about it as well... but I'm not gonna ask any questions. If Leo knows all the details about it, let's keep it that way :D . Rather it not be said and leave it in the fog, and keep it less likely that people will discover how to hack our clients' sites or our personal sites you know?

**Ola** · 12/17/2010, 12:32

Originally Posted by mechaflash

Rather it not be said and leave it in the fog, and keep it less likely that people will discover how to hack our clients' sites or our personal sites you know?

But if it is possible to do a XSS attack by using the then the attacker already must have access to the backend to do any harm. Therefore I don't see this to be of any problem.