Opened 14 years ago
Closed 13 years ago
#7366 closed Bug (fixed)
Pasting from browser toolbar menu bypasses paste filters
| Reported by: | Arne | Owned by: | Garry Yao |
|---|---|---|---|
| Priority: | Normal | Milestone: | CKEditor 3.6.3 |
| Component: | Core : Pasting | Version: | 3.0 |
| Keywords: | Cc: | satya_minnekanti@… |
Description (last modified by )
- Go to demo page
- Paste some content (i.e. from MS Word) by choosing 'Edit' -> 'Paste' from the browser toolbar.
- Switch to source mode and observe the garbage HTML.
Tested in WinXP (FF 3.6.15, IE8)
Seems nothing is listening to the document paste event.
Attachments (6)
Change History (34)
comment:1 Changed 14 years ago by
| Component: | General → Core : Pasting |
|---|---|
| Description: | modified (diff) |
| Status: | new → confirmed |
comment:2 Changed 14 years ago by
| Cc: | satya_minnekanti@… added |
|---|
comment:3 Changed 14 years ago by
comment:4 Changed 14 years ago by
| Status: | confirmed → pending |
|---|
Can you verify the bug is fixed on trunk?
comment:5 Changed 14 years ago by
Just pointing out that this relates to using the browser toolbar, not the editor toolbar, so in that it differs from #7304 it seems.
comment:6 Changed 14 years ago by
| Status: | pending → confirmed |
|---|---|
| Version: | → 3.0 |
Indeed, using "Edit -> Paste" from the browser toolbar makes the difference here. Confirmed in IE8 / Win 7.
comment:8 Changed 13 years ago by
Looks to me like quite a critical issue.
There are 3 ways to bypass filters.
- Using "Edit -> Paste"
- Using Native browser Menu - just use CRTL + Right-click.
- Using Drag and Drop from word directly to CKEditor.
All of those cases produce garbage HTML.
Issue has been reproducible in all browsers from CKEditor 3.0.
comment:9 Changed 13 years ago by
| Owner: | set to Piotrek Koszuliński |
|---|---|
| Status: | confirmed → review |
Changed 13 years ago by
| Attachment: | 7366_2.patch added |
|---|
comment:10 Changed 13 years ago by
| Owner: | changed from Piotrek Koszuliński to Garry Yao |
|---|
7366.patch fails the following case:
- Click "Paste" from browser toolbar menu;
- On clipboard security popup choose "Allow";
- Actual: Paste dialog opened;
- Expected: Pasted succeed without dialog;
Besides, the patch is over-complicated, considering all we need is to invoke the editor paste command, providing a simplified one.
comment:11 Changed 13 years ago by
Patch 7366_2.patch doesn't work for me (tested on IE8 & Fx):
- For quickly repeated ctrl+v IE throws security alert.
- For native context menu and native menu bar it doesn't filter MSWord stuff.
- Additionally - line endings differ from these in original plugin.js, so I had a problem with applying patch on Linux.
The way I'm testing (for v4 we've got playground and there it's easily visible if pasted content was handled by us, but for v3 we don't have it):
- Set editor data to: <p>This is more <strong class="MsoNormal">sample text</strong>.</p>
- Copy this in wysiwyg mode.
- Paste into the editor.
- Check in source mode if MsoNormal class was removed by filter.
Changed 13 years ago by
| Attachment: | 7366_3.patch added |
|---|
comment:12 Changed 13 years ago by
7366.patch works for me, but it was missing one thing. For declined security alert opened by pasting from native context menu or menu bar it wasn't opening paste dialog. This is fixed by 7366_3.patch.
However I've checked now that this patch doesn't work with latest trunk version for pasting from menu bar. It throws some error related probably to dialog.
But with revision 7364 it works perfectly fine - all features are ok.
comment:13 Changed 13 years ago by
| Status: | review → assigned |
|---|
comment:14 Changed 13 years ago by
But anyway 7366_3 is still too drastic a change for v3, since it changes the paste event used for other browsers as well, my intention is to provide a dedicated patch only for the toolbar menu paste issue, so a simplified patch must be considered.
comment:15 Changed 13 years ago by
I believe there's another solution for all clipboard's problem. But I'm not sure it will be any simpler. The problem is caused by the fact that all browsers behave differently when they fire (before)paste events.
Anyway, I'm keeping finger crossed for you :)
comment:16 Changed 13 years ago by
| Status: | assigned → review |
|---|
Changed 13 years ago by
| Attachment: | 7366_4.patch added |
|---|
comment:17 Changed 13 years ago by
comment:18 Changed 13 years ago by
| Milestone: | → CKEditor 3.6.3 |
|---|
Since it's almost reviewed, let's consider it for the release.
comment:19 Changed 13 years ago by
7366_4 is working like a charm (ubuntu ff11, winxp ff11, winxp ie8, win7 ie9, win7 ff10)
comment:20 Changed 13 years ago by
| Status: | review → review_failed |
|---|
The patch forces the paste dialog on Fx and Webkit which can be avoided.
Changed 13 years ago by
| Attachment: | 7366_5.patch added |
|---|
comment:21 Changed 13 years ago by
| Status: | review_failed → review |
|---|
New patch should have exactly the same code path for IE (so it doesn't have to be retested on IE ) while fix the above mentioned issue.
comment:22 Changed 13 years ago by
I've found an issue on IE8.
- click edit->paste (in native menu bar)
- IE throws security alert
- accept it
- paste dialog will open
- click edit->paste again
- content will be pasted correctly
The same happens for ckeditor's context menu.
Maybe this is caused by ckeditor's commands which still fires the same native events than before, when now IE listens for different one. Note that in my patch I moved event name to the mainPasteEvent variable.
comment:24 Changed 13 years ago by
Other than the above, I've noticed that CTRL+RIGHT-CLICK is not opening the security alert on IE9, which seems to be wrong (considering that we're not able to grab the "paste" event in time with IE).
comment:26 Changed 13 years ago by
| Status: | review → review_failed |
|---|
Changed 13 years ago by
| Attachment: | 7366_6.patch added |
|---|
comment:27 Changed 13 years ago by
| Status: | review_failed → review |
|---|
I'm unable to reproduce the tc in comment 22 with a default IE security configuration.
comment:28 Changed 13 years ago by
| Status: | review → review_passed |
|---|
comment:29 Changed 13 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | review_passed → closed |
Fixed with [7453].
Looks similar to #7304