Opened 7 years ago

Closed 7 years ago

#7285 closed Bug (fixed)

ASP.NET: certain configuration options are not properly escaped

Reported by: Wiktor Walc Owned by: kaga
Priority: Normal Milestone:
Component: Server : ASP.Net Version: 3.5.2
Keywords: Cc:

Description

  • FontSizeSizes are marked as an object and thus are not surrounded with quotes.
  • StylesSet and ContentsCss may contain a string or an array so it must be surrounded with quotes only when "[]" characters are not detected at the beginning and at the end
  • Toolbar property must be prepared also for a JavaScript array, if user enters there something like
    [
        [ 'Source', '-', 'Bold', 'Italic' ]
    ]
    
    the ASP.NET control should handle it properly
  • ProtectedSource must handle properly the situation when user enters the following:
    /<\?[\s\S]*?\?>/g
    /<%[\s\S]*?%>/g
    /(]+>[\s|\S]*?<\/asp:[^\>]+>)|(]+\/>)/gi
    

Attachments (4)

7285.patch (17.4 KB) - added by kaga 7 years ago.
7285_2.patch (18.8 KB) - added by Wiktor Walc 7 years ago.
7285_3.patch (19.1 KB) - added by kaga 7 years ago.
7285_4.patch (19.0 KB) - added by kaga 7 years ago.

Download all attachments as: .zip

Change History (16)

comment:1 Changed 7 years ago by Wiktor Walc

Status: newconfirmed

Changed 7 years ago by kaga

Attachment: 7285.patch added

comment:2 Changed 7 years ago by kaga

Owner: set to kaga
Status: confirmedreview

comment:3 Changed 7 years ago by Wiktor Walc

Status: reviewreview_failed

It looks like values with square brackets (JavaScript arrays) are now working properly. There are still some other issues though.

I am still unable to set StylesSet to a string, e.g. mystyles or mystyles:/editorstyles/styles.js as explained in the documentation.

Both values are displayed in square brackets when viewing the source code of the page, which is not correct:

"stylesSet" : ['mystyles:/editorstyles/styles.js']

Another thing that is not working right now but perhaps could be fixed is the TemplatesFiles option. It is possible to specify more than one file. However I do not see the possibility to do this in the "Properties" window. I have specified two files by simply entering:

/file1.js
/file2.js

Unfortunately, it is transformed into:

['/file1.js/file2.js']

Is it possible to output the following:

['/file1.js', '/file2.js']

?

comment:4 Changed 7 years ago by kaga

Status: review_failedreview

updated path with ticket #7283

comment:5 Changed 7 years ago by Wiktor Walc

Another thing to check while reviewing: http://cksource.com/forums/viewtopic.php?f=6&t=21816

CKEditor1.ContentsCss = "style.css"; <---- doesn't work..

comment:6 Changed 7 years ago by Wiktor Walc

Probably related: #7558

Changed 7 years ago by Wiktor Walc

Attachment: 7285_2.patch added

comment:7 Changed 7 years ago by Wiktor Walc

Status: reviewreview_failed

The 7285_2.patch contains changes that kaga added to the patch in ticket #7283.

7285_2.patch still needs work, the following problems should be solved:

  1. It should be possible to assign a string to the Toolbar property. A single word (that does not contain characters like '|' or '[]') should be recognized as a name of the toolbar and should not be converted into an array (see #7558). Currently the only possible string values are "Basic" and "Full" - it is wrong.
  1. It is impossible to pass a JavaScript array in the stylesSet configuration option.
    protected void Page_Load(object sender, EventArgs e)
    {
            CKEditor1.StylesSet = "[{ name : 'Strong Emphasis', element : 'strong' },{ name : 'Emphasis', element : 'em' } ]";
    }
    
    results in:
    "stylesSet" : "[{ name : 'Strong Emphasis', element : 'strong' },{ name : 'Emphasis', element : 'em' } ]", 
    

Changed 7 years ago by kaga

Attachment: 7285_3.patch added

comment:8 Changed 7 years ago by kaga

Status: review_failedreview

comment:9 Changed 7 years ago by Wiktor Walc

Status: reviewreview_failed

It is now impossible to set toolbar to Bold|Italic ("toolbar" : "Bold|Italic" is returned). Note that single word without "|" should be treated like the name of the toolbar, but word with "|" should be still treated like before to allow toolbar definitions like:

Bold|Italic|-|NumberedList|BulletedList|-|Link|Unlink|-|About

The rest looks good.

Changed 7 years ago by kaga

Attachment: 7285_4.patch added

comment:10 Changed 7 years ago by kaga

Status: review_failedreview

comment:11 Changed 7 years ago by Wiktor Walc

Status: reviewreview_passed

comment:12 Changed 7 years ago by Wiktor Walc

Resolution: fixed
Status: review_passedclosed

Fixed with [6709].

Note: See TracTickets for help on using tickets.
© 2003 – 2017 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy