Ticket #4380 (new Bug)

Opened 5 years ago

Last modified 4 years ago

Listblock: Stylename containing single quote will crash onclick method

Reported by: mattis Owned by:
Priority: Normal Milestone:
Component: Core : Styles Version:
Keywords: Cc: antony.chandra@…

Description

When a style contains a single quote in its title, it will crash the listblock.

Offending code (plugins/listblock/plugin.js):

add : function( value, html, title )
{
	var pendingHtml = this._.pendingHtml,
		id = 'cke_' + CKEDITOR.tools.getNextNumber();

	if ( !this._.started )
	{
		pendingHtml.push( '<ul class=cke_panel_list>' );
		this._.started = 1;
	}

	this._.items[ value ] = id;

	pendingHtml.push(
		'<li id=', id, ' class=cke_panel_listItem>' +
			'<a _cke_focus=1 hidefocus=true' +
				' title="', title || value, '"' +
				' href="javascript:void(\'', value, '\')"' +
				' onclick="CKEDITOR.tools.callFunction(', this._.getClick(), ',\'', value, '\'); return false;">',
				html || value,
			'</a>' +
		'</li>' );
},

As you can see, 'value' is passed verbatim into the pendingHtml array, which doesn't do anything to escape single quotes.

Change History

comment:1 Changed 5 years ago by mattis

  • Component changed from General to Core : Styles

comment:2 in reply to: ↑ description Changed 4 years ago by antony.chandra

  • Cc antony.chandra@… added

replacing single quotes to its html entity so the ckeditor function call wont break will fix this issue. see the fix below.

Replying to mattis:

When a style contains a single quote in its title, it will crash the listblock.

Offending code (plugins/listblock/plugin.js):

add : function( value, html, title )
{
	var pendingHtml = this._.pendingHtml,
		id = 'cke_' + CKEDITOR.tools.getNextNumber();

	if ( !this._.started )
	{
		pendingHtml.push( '<ul class=cke_panel_list>' );
		this._.started = 1;
	}

	this._.items[ value ] = id;

value = value.replace(/'/g, '\\\'');

pendingHtml.push(

'<li id=', id, ' class=cke_panel_listItem>' +

'<a _cke_focus=1 hidefocus=true' +

' title="', title
value, '"' +

' href="javascript:void(\, value, '\')"' + ' onclick="CKEDITOR.tools.callFunction(', this._.getClick(), ',\, value, '\'); return false;">',

html
value,

'</a>' +

'</li>' );

}, }}}

As you can see, 'value' is passed verbatim into the pendingHtml array, which doesn't do anything to escape single quotes.

Note: See TracTickets for help on using tickets.
© 2003 – 2012 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy