Opened 13 years ago
Closed 13 years ago
#10089 closed Bug (fixed)
<script> tag is not filtered out
| Reported by: | Wiktor Walc | Owned by: | Piotrek Koszuliński |
|---|---|---|---|
| Priority: | Normal | Milestone: | CKEditor 4.1 RC |
| Component: | General | Version: | |
| Keywords: | Cc: |
Description
Thanks to #9829 CKEditor now creates HTML content which contains only allowed HTML tags.
The problem is that the <script> tag can be still inserted in source mode and is not properly removed, even though there isn't any rule that would allow it (in editor.filter.allowedContent). So it looks like this tag has been somehow forgotten.
I believe we should:
a) remove the
<script>tag completely by default, leaving it to the developer to specify it inconfig.extraAllowedContent
OR
b) eventually specify it in
config.extraAllowedContentby default. However ifconfig.extraAllowedContentis set to an empty string, the tag should be still removed.
Also in case of <script> tag we should simply remove the tag if its forbidden, without leaving the inner content in the editor.
Change History (6)
comment:1 Changed 13 years ago by
| Milestone: | → CKEditor 4.1 |
|---|
comment:2 Changed 13 years ago by
| Status: | new → confirmed |
|---|
comment:3 Changed 13 years ago by
| Owner: | set to Piotrek Koszuliński |
|---|---|
| Status: | confirmed → assigned |
comment:4 Changed 13 years ago by
| Status: | assigned → review |
|---|
comment:5 Changed 13 years ago by
| Status: | review → review_passed |
|---|
comment:6 Changed 13 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | review_passed → closed |
Merged to major with git:f35bd1f on dev and b9e9dd8 on tests.
Pushed t/10089 on dev and tests.
<(no)script>tags are by default removed, but may be passed if added to(extra)AllowedContent.