Opened 3 years ago

Closed 2 years ago

Last modified 2 years ago

#16679 closed Bug (invalid)

Form saving problem on SSL

Reported by: bunny.hu Owned by:
Priority: Normal Milestone:
Component: General Version:
Keywords: Cc:

Description

Steps to reproduce

  1. Make some (not only one) ckeditor area on a https:// website. Insert photo inside all area. Try to save the form.

Actual result

403 Forbidden - You do not have permission to access this document.

I try with or without CKEDITOR.basePath and CKEDITOR.config.baseHref. also with CKEDITOR.config.removePlugins = 'scayt';

When it is working

  1. It is worked very well before we change to https from http. Same code.
  2. If I write only text inside the ckeditor area, it is saving well!
  3. If I turn off all ckeditor area binding except one, and try to save the very same html code but from pure html area without ckeditor overwrite, it is saving perfect.

So I THINK there is some postprocessing inside the ckeditor, when I push the submit button, and that is not working with https:// . Perhaps hardcoded http or whatever.

Other details (browser, OS, CKEditor version, installed plugins)

chrome latest, tested on ckeditor 4.5.3, 4.5.11, 4.6 both.

Change History (8)

comment:1 Changed 3 years ago by bunny.hu

There is also problem with link, relative or absolute, both.

comment:2 Changed 3 years ago by bunny.hu

At last I am found the source of the problem in the server log:

"Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Potentially Untrusted Web Content Detected"

This one is the problem: http://wiki.atomicorp.com/wiki/index.php/WAF_350147

So, if you have modsecurity enabled on the webserver, there is no possibility to use CKEditor with URI inside the text (link, img etc)? Any solution, developers?

comment:3 Changed 3 years ago by bunny.hu

Component: GeneralCore : Output Data
Keywords: modsecurity WAF 350147 added

comment:4 Changed 2 years ago by Jakub Ś

Component: Core : Output DataGeneral
Keywords: SSL https modsecurity WAF 350147 removed
Resolution: invalid
Status: newclosed
Version: 4.6.0

Any solution, developers?

Us? CKEditor is JavaScript application and it has nothing to do with saving data. I was going to suggest that you should look for the error on your server-side but it seems you have figured it out.

How is CKEditor to know you have mod security enabled on your server and what should it do exactly? You could write a simple few lines of code (fired on getData event ) which remove http links. Another solution would be disabling the mod or if possible changing its rules a bit.

NOTE: I don't recommend adding s to http because you don't know if link working under http will also work under https.

comment:5 in reply to:  4 Changed 2 years ago by bunny.hu

Replying to j.swiderski:

Any solution, developers?

Us? CKEditor is JavaScript application and it has nothing to do with saving data. I was going to suggest that you should look for the error on your server-side but it seems you have figured it out.

Actually I belive the CKEditor take controll over submit before it sending to the server, and that will be the problem. When I turn off the CkEditor and send the very same html code to my server, there was NO PROBLEM at all.

Please try it, if you can. In my own situation, I can solve it with ask to my server guy to turn off ( give an exclude ) the mod.

comment:6 Changed 2 years ago by Jakub Ś

When you press submit button, CKEditor gets data with [getData() http://docs.ckeditor.com/#!/api/CKEDITOR.editor-method-getData] method, updates the txtarea and traditional submit takes away from there.

If I understand correctly the problem was HTTP link rejected by mod expecting HTTPS. CKEditor doesn't do any such conversions - https to http .

comment:7 in reply to:  6 Changed 2 years ago by bunny.hu

Replying to j.swiderski:

When you press submit button, CKEditor gets data with [getData() http://docs.ckeditor.com/#!/api/CKEDITOR.editor-method-getData] method, updates the txtarea and traditional submit takes away from there.

If I understand correctly the problem was HTTP link rejected by mod expecting HTTPS. CKEditor doesn't do any such conversions - https to http .

I am not sure what happened, but again, if I turn off Ckeditor and use only pure html textarea with the very same html content inside (loaded from SQL), I can save it with html submit button on the same link (https of course). When change nothing except add ckeditor to the textarea, and I cannot save the same content. I am do not know why, what is the different, I just wrote what I see :)

comment:8 Changed 2 years ago by Jakub Ś

I can save it with html submit button on the same link (https of course).

I'm not sure I understand. You send https link but mod complaints about http? If that is the case then I would suggest looking for some plugin or custom code which changes https to http. You could first do a simple CKEDITOR.instances.yourEditorName.getData() in browser console. If https link is changed to http, you have to look for something in CKEditor, if there is no change, you have to look for something on server-side.

Note: See TracTickets for help on using tickets.
© 2003 – 2019 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy