Opened 7 years ago

Closed 7 years ago

#8806 closed Bug (invalid)

Image url not being escaped

Reported by: Jeff Owned by:
Priority: Normal Milestone:
Component: General Version:
Keywords: Cc:

Description

Version 3.6.1

Open image dialog -> add sample url -> click ok

example URLs:

http://dl.dropbox.com/u/2444329/test-images/{logo}.jpg
http://dl.dropbox.com/u/2444329/test-images/logo image.jpg
http://dl.dropbox.com/u/2444329/test-images/"logo".jpg
http://dl.dropbox.com/u/2444329/test-images/'logo'.jpg

Change History (2)

comment:1 Changed 7 years ago by Matti Järvinen

If you copy URL from browser it is already escaped:

http://dl.dropbox.com/u/2444329/test-images/%7Blogo%7D.jpg
http://dl.dropbox.com/u/2444329/test-images/logo%20image.jpg
http://dl.dropbox.com/u/2444329/test-images/%22logo%22.jpg
http://dl.dropbox.com/u/2444329/test-images/%27logo%27.jpg

which are valid URL:s...

When replacing / escaping should end?

/ = %2F 
: = %3A
# = %23
% = %25
? = %3F

http://www.w3schools.com/tags/ref_urlencode.asp

If the dialog would replace { -> with %7B should it replace %7B with %257B? Okay this can be fixed with unescape on dialog open and escape in dialog close but what about # %23 (anchor on page), / %2F (directory) and ? %3F (query string) which have specific meaning while not escaped and can exist in their escaped form in the URL.

For example basic redirection link used by many

http://www.example.com/login.php?success=http%3A%2F%2Fwww.example.com%2Fmembersonly

would become when unescaped for the dialog

http://www.example.com/login.php?success=http://www.example.com/membersonly

and if you want to escape it back things are not so simple anymore since ? could be a result of unescaping too.

comment:2 Changed 7 years ago by Jakub Ś

Resolution: invalid
Status: newclosed

This is something that server-side script should handle and not CKEditor.

One of and probably the main reason is that CKEditor could start working incorrectly (Also mentioned in http://dev.ckeditor.com/ticket/5527#comment:4) E.g. CKEditor would not know if #comment:4 anchor or encoded URL.

@matti thanks for additional comment.

Note: See TracTickets for help on using tickets.
© 2003 – 2019 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy