Opened 13 years ago

Closed 12 years ago

#1658 closed Bug (invalid)

XSS Injection with img tag

Reported by: fanfarian Owned by:
Priority: Normal Milestone:
Component: General Version: FCKeditor 2.5
Keywords: Pending Cc:


Hi there,

If you use:

<img src="image.jpg" onload="alert('valid cross-site scripting');" />

there is a XSS Injection possible.
Enter this into the source code of an FCK window, just preview the Site and the JS executes.

Browser: Firefox (latest)
FCKG: Version 2.5 Build 17352
Using FCK with PHP5


Change History (3)

comment:1 Changed 13 years ago by Alfonso Martínez de Lizarrondo

Keywords: Pending added; XSS Injection removed

Yes, FCKeditor doesn't filter any of the HTML or the people would complain about that. If you are saving the content sent by any user then you must perform a validation on the server because it would be trivial for an evil user that tries to inject some attack to bypass a simple javascript protection.

comment:2 Changed 13 years ago by Alfonso Martínez de Lizarrondo

I forgot, you don't need any image, you can use directly a script:

<script type="text/javascript">
alert("hello world")

comment:3 Changed 12 years ago by Alfonso Martínez de Lizarrondo

Resolution: invalid
Status: newclosed


Note: See TracTickets for help on using tickets.
© 2003 – 2019 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy