Opened 10 years ago

Closed 10 years ago

#4263 closed Bug (wontfix)

XSS Attack

Reported by: jihua Owned by:
Priority: Normal Milestone: FCKeditor 2.6.5
Component: General Version:
Keywords: Cc:

Description

Hi guys , Our site is using FCKEditor , there are some risk with the source code, we added some filters in the server site:<(/?)(script|i?frame|html|link|meta|head)([>]*?)>");(<[>]*)(on[a-zA-Z]+
s*=([>]*)|href
s*=([
>]*script:[>]*)>)");
but still can't filter all ,such as the embed video , can anyone help me out , just let "Youbtobe" video allowed to pass.

Change History (1)

comment:1 Changed 10 years ago by Garry Yao

Resolution: wontfix
Status: newclosed

Sorry but have to say that we don't provide protection to XSS with our editor, since things related to this is always of a lot of choices and decisions, FYI, tools like [htmlpurifier http://htmlpurifier.org/] could be adapted to achieve this.

Note: See TracTickets for help on using tickets.
© 2003 – 2019 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy