Opened 4 years ago

Last modified 4 years ago

#14533 confirmed Bug

Selectors passed to CKEDITOR.dom.element.prototype.find are not properly escaped

Reported by: Tomasz Jakut Owned by:
Priority: Normal Milestone:
Component: General Version: 4.5.0
Keywords: Cc:

Description

Steps to reproduce

  1. Open https://jsfiddle.net/5487w3gc/3/
  2. Click the button located under the editor.

Expected result

The alert with Test is shown.

Actual result

The alert with Error is thrown is shown.

Other details (browser, OS, CKEditor version, installed plugins)

The problem is located inside the getContextualizedSelector function inside core/dom/element.js file. It escapes only the id of the element. The proposed fix could split the selector on all special chars likely to appear in a CSS selector and escapes them separately: https://gist.github.com/Comandeer/de6c832993a8b9c21b01

Blocked on #14451 (as it introduces CKEDITOR.tools.escapeCss method).

Change History (1)

comment:1 Changed 4 years ago by Tomasz Jakut

Status: newconfirmed
Note: See TracTickets for help on using tickets.
© 2003 – 2019 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy