We are migrating CKEditor issue tracking to GitHub. Please, use GitHub to report any new issues.

The former tracking system (this website) will still be available in the read-only mode. All issues reported in the past will still be available publicly and can be referenced.

Important: we decided not to transfer all the tickets to GitHub, as many of them are not reproducible anymore or simply no longer requested by the community.
If the issue you are interested in, can be still reproduced in the latest version of CKEditor, feel free to report it again on GitHub.
At the same time please note that issues reported on this website are still taken into consideration when picking up candidates for next milestones.

To report a new issue, go to https://github.com/ckeditor/ckeditor-dev/issues and follow the instructions in the issue template.

Context Navigation

← Previous Ticket
Next Ticket →

Opened 16 years ago

Closed 16 years ago

#4263 closed Bug (wontfix)

XSS Attack

Reported by:	jihua	Owned by:
Priority:	Normal	Milestone:	FCKeditor 2.6.5
Component:	General	Version:
Keywords:		Cc:

Description

Hi guys , Our site is using FCKEditor , there are some risk with the source code, we added some filters in the server site:<(/?)(script|i?frame|html|link|meta|head)([^>]*?)>");(<[>]*)(on[a-zA-Z]+
s*=([^{>]*)|href
s*=([}>]*script:[^{>]*)>)");

but still can't filter all ,such as the embed video , can anyone help me out , just let "Youbtobe" video allowed to pass.}

Change History (1)

comment:1 Changed 16 years ago by Garry Yao

Resolution:	→ wontfix
Status:	new → closed

Sorry but have to say that we don't provide protection to XSS with our editor, since things related to this is always of a lot of choices and decisions, FYI, tools like [htmlpurifier http://htmlpurifier.org/] could be adapted to achieve this.

Note: See TracTickets for help on using tickets.

Download in other formats: