Consistent use of single quote entity

[Jojoshua]

Using &#39 is problematic with certain frameworks. We used to get around this using the following code in v4

setup: function (editor: Editor) {
    editor.on("SaveContent", function (i) {
      i.content = i.content.replace(/&#39/g, "&apos");
    });

However this doesn't work in v6 anymore.

[TheSpyder]

The SaveContent event has a very specific use case. Try GetContent, that should work for any scenario where content is retrieved from the editor.

[Jojoshua]

The SaveContent event has a very specific use case. Try GetContent, that should work for any scenario where content is retrieved from the editor.

The scenario is that I am triggering save on all the TinyMCe's on the page and I need this replacement to happen at that time before I post it to the server. Is GetContent going to work when save is triggered? If the single quote doesn't get converted to apos, the .net framework thinks it's being attacked.

[TheSpyder]

Is GetContent going to work when save is triggered?

Yes. The event is dispatched every time getContent() is called, and the event is able to mutate the content as a string.

tinymce/modules/tinymce/src/core/main/ts/content/PrePostProcess.ts

Lines 50 to 51 in bcdea2a

	const processedEventArgs = withSerializedContent(content, (content) => Events.fireGetContent(editor, { ...args, content }), { sanitize: Options.shouldSanitizeXss(editor), sandbox_iframes: Options.shouldSandboxIframes(editor) });
	return processedEventArgs.content;

[spocke]

The reason why don't use apos here is that it's not a valid HTML 4 entity. So at the time of writing that code there where browsers that didn't support the apos entity for example IE. However I failed to find out what exact IE versions doesn't support it.

Here is the entities in the HTML4 spec notice that apos is not there:
https://www.w3.org/TR/REC-html40/sgml/entities.html

However it is in this HTML5 reference:
https://html.spec.whatwg.org/multipage/named-characters.html#named-character-references

Since this is such a central thing and the HTML that the editor generates could in theory be still be displayed on old IE based HTML renderers I'm not confident that we can just change this without having some form of option to configure it back to the old IE legacy mode.

[Jojoshua]

I figured it was an IE thing. I will try a flag.

[spocke]

Curious what dotnet sanitization framework requires apos over numeric entities? Want to see if I can reproduce the issue and estimate how common this problem is.

[Jojoshua]

Curious what dotnet sanitization framework requires apos over numeric entities? Want to see if I can reproduce the issue and estimate how common this problem is.

In my scenario it is ASP.NET MVC. If you google search something like tinymce single quote .net you can find posts of the issue.

To reproduce just set tinymce option encoding: 'xml' then try to post it to the server.