We are migrating CKEditor issue tracking to GitHub. Please, use GitHub to report any new issues.
The former tracking system (this website) will still be available in the read-only mode. All issues reported in the past will still be available publicly and can be referenced.
Important: we decided not to transfer all the tickets to GitHub, as many of them are not reproducible anymore or simply no longer requested by the community.
If the issue you are interested in, can be still reproduced in the latest version of CKEditor, feel free to report it again on GitHub.
At the same time please note that issues reported on this website are still taken into consideration when picking up candidates for next milestones.
To report a new issue, go to https://github.com/ckeditor/ckeditor-dev/issues and follow the instructions in the issue template.
| Reported by: | Mohamed A. Baset | Owned by: | |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | General | Version: | 4.4.6 |
| Keywords: | Cc: |
<p><a href="javascript:alert(document.domain)">Click here to 50 BTC</a></p>
PoC Video: http://youtu.be/3xxLpYg4j3M
Advanced Content Filter, that is available in CKEditor and that is responsible for removing tags/attributes/styles that are not allowed, is not a security filter.
It is possible to skip any client side validation while entering content for example by:
This is the reason why the data validation has to be done on the server side and why this particular case is invalid.