Scripts getting executed in preview mode.

[Rajasimhan]

Enable source mode and enter javscript code. Come out of the source mode and click the preview button. The javascript will be executed. The JS execution will lead to security issues and must be fixed.

Replication: 1) copy the following script in source mode and click the preview button.

&lt;&gt;<iframe frameborder="0" height="200" scrolling="no" src="​http://www.oracle.com" width="250"></iframe><script>alert('Executing script');</script>.

We would like to have the issue fixed in 3.6.2 and 3.5.3.

[Rajasimhan]

I would like to set the priority to urgent as it is a critical security issue.

[Wiktor Walc]

Could you explain why it is a security issue? If user do not have rights to submit <script> tags, all unsafe content should be stripped down on the server side, before saving it in the database.

This way, even if submitted content will be edited later by an administrator with all permissions, the <script> tag will be no longer there.

On the other side, if user without rights to use <script> tags, will place a <script> in CKEditor and then "execute" it in preview mode, he will do only the same thing that he could do using e.g. Firebug, he do not need CKEditor for that.

[Jakub Ś]

@Rajasimhan any updates to the above comment?

[Rajasimhan]

Hi,

I had been on vacation and kindly bear with the delay in reply.

We can control the script tags when it is being saved to the database. What we require is to control the execution of scripts from within ckeditor. As you had mentioned, we can also execute scripts via firebug but the point here is that that we do not want any script execution via the ckeditor as ckeditor is integrated into our product.

Thanks Raj

[Wiktor Walc]

1) I think it's important to really understand one thing. Anyone that is capable to inject

<script>alert('Executing script');</script>

in Source mode of CKEditor is also smart enough to execute the same script in Firebug, Dragonfly etc. JavaScript is executed in the browser, user will not delete files on the server this way etc.

2)

We can control the script tags when it is being saved to the database.

That's the way to go. It means that when the code saved by malicious user is loaded directly from the database, there is no JS to execute.

If malicious user injects the JavaScript code directly in CKEditor, then see point 1).

3) There is one more thing to understand.

In WYSIWYG mode in CKEditor tries to protect the code that could break the data, e.g. by hiding <script> tags or changing <iframe> and <flash> elements into fake elements.

When the Preview button is pressed, user should see exactly what he provided. It means that all the onevent handlers work there, as well as JavaScript code included in <script> tags AND also e.g. JavaScript code included in: flash elements or in iframes. All these tags may contain JS code that will be executed "on your page".

If you really need to strip all the places where the JS code may be executed, then you need to write your own Preview plugin, that would:

• send the HTML code to the server,
• on the server side strip down all the unsafe code, using the same engine that is used by your application when saving the code in the database
• send the "safe" code back to CKEditor to render it in Preview mode.

Of course, in m opinion, it does not make sense at all, due to 1).

[Alfonso Martínez de Lizarrondo]

Everything that Wiktor has said about the "problem" is correct; but with regards to the solution, such plugin already exists: ​http://cksource.com/forums/viewtopic.php?f=18&t=23604

Although I think that a better solution would be to create a plugin that applies a white-list of tags and attributes to the contents so even if the users inserts any undesired tag in source mode, it's stripped out when it goes back to design mode.

Such plugin would be useful for other people that only want to allow a set of tags.

[Rajasimhan]

Hi,

Thanks for the clarifications. Here is one more scenario where I can execute the scripts.

1. Input any text and click add link button.
2. Link page shows up.
3. Input "javascript:alert(1)" in the URL,Protocol select as <other> and click OK.
4. Click preview button and preview page shows up.
5. Click the link, the javascript will get fired.

[Jakub Ś]

Hi,

But this is just another example that has the same answer - there is no security issue and if you really need stripping script tags you should handle it yourself:

1. You can do this on server-side
2. Write your own preview plugin
3. Use plugin suggested by @alfonsoml ​http://cksource.com/forums/viewtopic.php?f=18&t=23604

Closing the ticket.

[Rajasimhan]

Copy Pasting email correspondence over this ticket.

From: Frederico Knabben f.knabben@… Sent: Friday, August 31, 2012 5:06 PM To: Senthil Kumaran Cc: Rajasimhan Baskar; Pramod Agrawal Subject: Re: Oracle - Reg removal of protocol type 'Other' from Links Plug-in

Hi Senthil,

Even the browser URL bar can be used to inject malicious scripts, so no client solution will be ever good. It is just useless code overload. A good system is not the one that guarantees good client side code, but the one that guarantees it on the server side.

In any case, if you just want to have piece of mind, please open a ticket for it. It'll not be a big issue to add this check, but I reiterate that this will be totally useless work.

Let me know the ticket number then.

Thanks, Fred -- Frederico Knabben CEO, CKSource

On Thursday, 30 August 2012 at 08:25, Senthil Kumaran wrote: Hi Fred, I can understand that there are many ways to inject the code at the client side. But when the PeopleSoft session is active/alive, if we allow the hacker to inject any java-scripts using our delivered interface is a serious issue for us. As an example- if the firebug allows to inject the scripts, customer will decide whether to allow it or not based on their security policy. So from our delivered software, we are not supposed to allow the scripts to be injected at the client side. And fixing the Links plug-in is not going to cause any editor performance issue since it is not loaded always. Since the client side XSS is not allowed by our security policy, please consider this use case. Thanks, Senthil Kumaran Oracle India Pvt Ltd Bangalore

[Rajasimhan]

Fred,

Please reopen this ticket and provide a fix for it.

Thanks Rajasimhan Oracle

[Frederico Caldeira Knabben]

We agreed to have it fixed in the linked plugin. This ticket is about something much bigger, where only a server side solution is valid.

We're not reopening this ticket.

[Rajasimhan]

Should I then create a new ticket requesting a fix in links plugin?