Opened 6 years ago

Closed 6 years ago

#10089 closed Bug (fixed)

<script> tag is not filtered out

Reported by: Wiktor Walc Owned by: Piotrek Koszuliński
Priority: Normal Milestone: CKEditor 4.1 RC
Component: General Version:
Keywords: Cc:


Thanks to #9829 CKEditor now creates HTML content which contains only allowed HTML tags.

The problem is that the <script> tag can be still inserted in source mode and is not properly removed, even though there isn't any rule that would allow it (in editor.filter.allowedContent). So it looks like this tag has been somehow forgotten.

I believe we should:

a) remove the <script> tag completely by default, leaving it to the developer to specify it in config.extraAllowedContent


b) eventually specify it in config.extraAllowedContent by default. However if config.extraAllowedContent is set to an empty string, the tag should be still removed.

Also in case of <script> tag we should simply remove the tag if its forbidden, without leaving the inner content in the editor.

Change History (6)

comment:1 Changed 6 years ago by Wiktor Walc

Milestone: CKEditor 4.1

comment:2 Changed 6 years ago by Jakub Ś

Status: newconfirmed

comment:3 Changed 6 years ago by Piotrek Koszuliński

Owner: set to Piotrek Koszuliński
Status: confirmedassigned

comment:4 Changed 6 years ago by Piotrek Koszuliński

Status: assignedreview

Pushed t/10089 on dev and tests.

<(no)script> tags are by default removed, but may be passed if added to (extra)AllowedContent.

comment:5 Changed 6 years ago by Frederico Caldeira Knabben

Status: reviewreview_passed

comment:6 Changed 6 years ago by Piotrek Koszuliński

Resolution: fixed
Status: review_passedclosed

Merged to major with git:f35bd1f on dev and b9e9dd8 on tests.

Note: See TracTickets for help on using tickets.
© 2003 – 2019 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy