id,summary,reporter,owner,description,type,status,priority,milestone,component,version,resolution,keywords,cc 11101,Richcombo breaks when given double quotes,Marcus Bointon,Marek Lewandowski,"I'm using the [http://ckeditor.com/addon/strinsert strinsert plugin] to inject HTML snippets into my editor. It works fine for plain-text content, but fails for HTML (and some other markup) content because it doesn't escape it. I traced this to the add function of the richcombo element: {{{ add: function(a, b, c) { this._.items[a] = c || a; this._.list.add(a, b, c) }, }}} The problem here is that ''a'' can contain a string which breaks the HTML. Here's a minimal plugin that demonstrates the problem: {{{ CKEDITOR.plugins.add('mytags', { requires : ['richcombo'], init : function( editor ) { editor.ui.addRichCombo('mytags', { label: 'My tags', title: 'My tags', voiceLabel: 'My tags', className: 'cke_format', multiSelect:false, panel: { css: [ editor.config.contentsCss, CKEDITOR.skin.getPath('editor') ], voiceLabel: editor.lang.panelVoiceLabel }, init: function() { this.add('test', 'Test', 'Test'); this.add('""test2""', 'Test2', 'Test2'); this.add('test3', 'Test3', 'Test3'); }, onClick: function( value ) { editor.focus(); editor.fire( 'saveSnapshot' ); editor.insertText(value); editor.fire( 'saveSnapshot' ); } }); } }); }}} The onClick handler can be ignored as the problem arises before it is used; whether you use insertText or insertHTML makes no difference. The first item in the menu contains {{{ test')"" onclick=""CKEDITOR.tools.callFunction(215,'… }}} instead of the expected `Test`, and selecting the malformed menu item this creates results in a `Syntax error: Unexpected EOF` on the console. The second item appears correctly in the menu, but clicking it results in the same syntax error. It appears to be the double quotes that are causing it problems; Removing the double quotes works fine, as demonstrated by the third item. I can't think of any circumstance where you would want this behaviour; there needs to be some form of escaping in the add function to prevent this from happening. This may also apply to other components which add items in a similar way. Since this breaks out of escaping, it might also represent an opportunity for XSS injection.",Bug,closed,Normal,CKEditor 4.3.1,General,,fixed,,