id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc
11101	Richcombo breaks when given double quotes	Marcus Bointon	Marek Lewandowski	"I'm using the [http://ckeditor.com/addon/strinsert strinsert plugin] to inject HTML snippets into my editor. It works fine for plain-text content, but fails for HTML (and some other markup) content because it doesn't escape it. I traced this to the add function of the richcombo element:

{{{
add: function(a, b, c) {
    this._.items[a] = c || a;
    this._.list.add(a, b, c)
},
}}}
The problem here is that ''a'' can contain a string which breaks the HTML. Here's a minimal plugin that demonstrates the problem:

{{{
CKEDITOR.plugins.add('mytags',
{
    requires : ['richcombo'],
    init : function( editor )
    {
        editor.ui.addRichCombo('mytags',
        {
            label: 'My tags',
            title: 'My tags',
            voiceLabel: 'My tags',
            className: 'cke_format',
            multiSelect:false,
            panel:
            {
                css: [ editor.config.contentsCss, CKEDITOR.skin.getPath('editor') ],
                voiceLabel: editor.lang.panelVoiceLabel
            },
        
            init: function()
            {
                this.add('<span class=""test"">test</span>', 'Test', 'Test');
                this.add('""test2""', 'Test2', 'Test2');
                this.add('test3', 'Test3', 'Test3');
           },
            onClick: function( value )
            {
                editor.focus();
                editor.fire( 'saveSnapshot' );
                editor.insertText(value);
                editor.fire( 'saveSnapshot' );
            }
        });
    }
});
}}}

The onClick handler can be ignored as the problem arises before it is used; whether you use insertText or insertHTML makes no difference.

The first item in the menu contains
{{{
test')"" onclick=""CKEDITOR.tools.callFunction(215,'…
}}}
instead of the expected `Test`, and selecting the malformed menu item this creates results in a `Syntax error: Unexpected EOF` on the console. The second item appears correctly in the menu, but clicking it results in the same syntax error. It appears to be the double quotes that are causing it problems; Removing the double quotes works fine, as demonstrated by the third item.

I can't think of any circumstance where you would want this behaviour; there needs to be some form of escaping in the add function to prevent this from happening. This may also apply to other components which add items in a similar way.

Since this breaks out of escaping, it might also represent an opportunity for XSS injection."	Bug	closed	Normal	CKEditor 4.3.1	General		fixed