Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#12720 closed Bug (invalid)

Cross Site Scripting via href click

Reported by: Mohamed A. Baset Owned by:
Priority: Normal Milestone:
Component: General Version: 4.4.6
Keywords: Cc:

Description

  1. Go to Source mode
  2. Paste this source code

<p><a href="javascript:alert(document.domain)">Click here to 50 BTC</a></p>

PoC Video: http://youtu.be/3xxLpYg4j3M

Change History (1)

comment:1 Changed 5 years ago by Wiktor Walc

Resolution: invalid
Status: newclosed

Advanced Content Filter, that is available in CKEditor and that is responsible for removing tags/attributes/styles that are not allowed, is not a security filter.

It is possible to skip any client side validation while entering content for example by:

  • detaching CKEditor from a textarea by calling the proper API methods in the developer,
  • disabling JavaScript so that the textarea was not replaced by CKEditor at all.

This is the reason why the data validation has to be done on the server side and why this particular case is invalid.

Last edited 5 years ago by Wiktor Walc (previous) (diff)
Note: See TracTickets for help on using tickets.
© 2003 – 2019 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy