FCKeditor JavaScript API throws "Security error" code: "1000" when I attempt SetHTML()

Question

After opening a webpage with exatly one FCKeditor window in it, I get the instance:

i = FCKeditorAPI.GetInstance( "txtText" )

This works. I am also allowed:

i.GetHTML() #=> <div class=".... etc., correct output

But when trying

i.SetHTML( "<h1>Quux</h1>" )

I get:

[Exception... "Security error" code: "1000" nsresult: "0x805303e8 (NS_ERROR_DOM_... etc. ]

I have an uncertain feeling, that in past, I was able to change the FCKeditor window contents with SetHTML(), but I'm not completely sure. What to do?

In response to the comment, my HTML is

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="cs" lang="cs">

<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1250" />
<meta http-equiv="Content-language" content="cs" />
<meta http-equiv="expires" content="-1" />
<meta http-equiv="pragma" content="no-cache" />
<meta http-equiv="cache-control" content="private" />
<title>Foo | Bar | WebMaker | FOO.CZ</title>
<style type="text/css" media="screen">/*<![CDATA[*/@import url(http://webmaker.ooo.cz/_design/style.css);/*]]>*/</style>
<script type="text/javascript" src="http://webmaker.ooo.cz/common.js"></script>
</head>

<body>
<div id="header">
        <span><a href="http://webmaker.ooo.cz/logout.aspx">Logout</strong></span>
</div>
    <div id="main">

        <div id="content">
            <div id="tabmenu">

            </div><!-- /tabmenu -->
            <dif id="tabcontent">
              <form name="_ctl2" method="post" action="detail.aspx?article=14599" id="_ctl2">
<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="" />
<input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value="" />
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE"     value="/wEPDwULLTE2MTEzz0iZG9.....reallllly..looong...strin......6qKb5or30J5DCLKTCaFR/xc8TPHb9A=" />

<script type="text/javascript">
  <!--
      var theForm = document.forms['_ctl2'];
      if (!theForm) {
          theForm = document._ctl2;
      }
      function __doPostBack(eventTarget, eventArgument) {
          if (!theForm.onsubmit || (theForm.onsubmit() != false)) {
              theForm.__EVENTTARGET.value = eventTarget;
              theForm.__EVENTARGUMENT.value = eventArgument;
              theForm.submit();
          }
      }
   // -->
</script>

<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEWEQ...vsyXR4=" />
    <div class="data">
    <fieldset>
<legend>Text článku</legend>

<div><input type="hidden" id="txtText" name="txtText" value="FCK editor window contents here." /><input type="hidden" id="txtText___Config" value="HtmlEncodeOutput=true" /><iframe id="txtText___Frame" src="http://webmaker.ooo.cz/_wysiwyg/editor/fckeditor.html?InstanceName=txtText&amp;Toolbar=WebMaker" width="100%" height="400px" frameborder="no" scrolling="no"></iframe></div>  
<input type="button" onclick="GetWordsCount('txtText___Frame')" value="Zobrazit počet slov v článku" />
    </fieldset>

    <!-- There are some more fieldsets here and a submit button. -->

                  </div><!-- .data -->
              </form>
            </div><!-- tabcontent -->
</div><!-- /main -->
</body>
</html>

Answer 1

FCKeditor's SetHTML method relies on a document.write call to replace the content in the edit control. Unfortunately document.write does not work from within the Web Console on Firefox.

This is a known bug: Using document.write inside Scratchpad window brings up 'Security error undefined' in Web Console

I know that error says Scratchpad and the error message is different but it's the same problem. Note this comment from David Chan (Mozilla Security Researcher):

This appears to be another bug from running WebConsole / ScratchPad in a sandbox.

The reason you probably remember being able to do this in the past is because it works in FireBug, and it works in Chrome. You've probably used one of those environments in the past when working with a FCKeditor control.

Answer 2

Pretty sure this is some cross domain issue where you probably think you're running on the same domain but actually are not. I would have to inspect the actual page this runs on to really be able to help you out, but try loading all the relevant fckeditor files using relative file paths (optionally from the root) and never include the actual domain, that will prevent a lot of trouble in general (what for example otherwise may happen is you being on example.com but loading files from www.example.com or similar problems).

The odd thing is that you shouldn't be able to read files then either, but the triggered error is about unpriviliged actions which are nearly always cross domain issues (or some very tricky cross script context issues, but those are mostly only relevant if you develop addons).

Answer 3

If your javascript is coming from "http://webmaker.ooo.cz/...", then it's possible you're getting a domain issue if you're browsing the website under a different subdomain than the javascript is being pulled from. I'm not sure of a fix, and I'm not sure that's necessarily what's wrong. Just a possibility. I'd suggest trying to put the javascript you're using in the page with the html just to make sure the code itself actually works.