Opened 5 years ago

Closed 5 years ago

Last modified 4 years ago

#9289 closed Bug (fixed)

JS can be entered using the protocl type 'Other' in links plugin and executed via Preview plugin

Reported by: Rajasimhan Owned by: fredck
Priority: Normal Milestone: CKEditor 3.6.5
Component: General Version: 3.0
Keywords: Oracle Cc: senthil.kumaran@…


Links plugin has a protocol type called 'other' using which one can enter javascript. When the user previews the content the javascript gets executed. This capability allows malicious JS to be executed from the peoplesoft product that houses the ckeditor. Links pluign must somehow filter the javascript entered via the url.

Replication steps.

  1. Enter some text, select it and click the links plugin.
  2. Select protocol type 'Other' and provide the following value in the url field 'javascript:alert(1)'. Click ok.
  3. Click the preview plguin. JS will be executed

Attachments (1)

9289.patch (1.1 KB) - added by fredck 5 years ago.

Download all attachments as: .zip

Change History (8)

comment:1 Changed 5 years ago by fredck

We'll introduce a check to avoid accepting javascript: links in the dialog.

comment:2 Changed 5 years ago by j.swiderski

  • Status changed from new to confirmed
  • Version changed from 3.6.3 to 3.0

We'll introduce a check to avoid accepting JavaScript: links in the dialog.

Perhaps this should be made optional with usage of some configuration option? Just in case if there are users that insert such links (users with good intentions :))

Oracle is probably using CKE 3.6.3 so they want this fix to be compatible with this version.

comment:3 Changed 5 years ago by Rajasimhan

Hi, We are currently on ckeditor 3.6.2 and not on 3.6.3. Please provide a fix in 3.6.2. We would also have to backport the fix to 3.5.3 and 3.3.0. Can we apply the same/similar code change to 3.5.3 and 3.3.0 also?

If the fix for 3.5.3 and 3.3.0 is provided by ckeditor then it would be very much appreciated. Otherwise we will have to manually apply the change into the older versions.

Thanks Raj

Changed 5 years ago by fredck

comment:4 Changed 5 years ago by fredck

  • Milestone set to CKEditor 3.6.5
  • Owner set to fredck
  • Status changed from confirmed to review

comment:5 Changed 5 years ago by garry.yao

  • Status changed from review to review_passed

comment:6 Changed 5 years ago by fredck

  • Resolution set to fixed
  • Status changed from review_passed to closed

Fixed with [7603].

comment:7 Changed 4 years ago by TomNM

First, I don't understand how this is a general problem. I disagree with removing the ability to add javascript: links. If the preview merely displayed the link with the correctly href value, why would it fire automatically? Why wouldn't someone just enter their javascript in source mode to fire their malicious script.

Why can't there simply be a protocol option called "javascript"?

Note: See TracTickets for help on using tickets.
© 2003 – 2017 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy