Opened 12 years ago

Closed 11 years ago

Last modified 11 years ago

#9289 closed Bug (fixed)

JS can be entered using the protocl type 'Other' in links plugin and executed via Preview plugin

Reported by: Rajasimhan Owned by: Frederico Caldeira Knabben
Priority: Normal Milestone: CKEditor 3.6.5
Component: General Version: 3.0
Keywords: Oracle Cc: senthil.kumaran@…


Links plugin has a protocol type called 'other' using which one can enter javascript. When the user previews the content the javascript gets executed. This capability allows malicious JS to be executed from the peoplesoft product that houses the ckeditor. Links pluign must somehow filter the javascript entered via the url.

Replication steps.

  1. Enter some text, select it and click the links plugin.
  2. Select protocol type 'Other' and provide the following value in the url field 'javascript:alert(1)'. Click ok.
  3. Click the preview plguin. JS will be executed

Attachments (1)

9289.patch (1.1 KB) - added by Frederico Caldeira Knabben 12 years ago.

Download all attachments as: .zip

Change History (8)

comment:1 Changed 12 years ago by Frederico Caldeira Knabben

We'll introduce a check to avoid accepting javascript: links in the dialog.

comment:2 Changed 12 years ago by Jakub Ś

Status: newconfirmed

We'll introduce a check to avoid accepting JavaScript: links in the dialog.

Perhaps this should be made optional with usage of some configuration option? Just in case if there are users that insert such links (users with good intentions :))

Oracle is probably using CKE 3.6.3 so they want this fix to be compatible with this version.

comment:3 Changed 12 years ago by Rajasimhan

Hi, We are currently on ckeditor 3.6.2 and not on 3.6.3. Please provide a fix in 3.6.2. We would also have to backport the fix to 3.5.3 and 3.3.0. Can we apply the same/similar code change to 3.5.3 and 3.3.0 also?

If the fix for 3.5.3 and 3.3.0 is provided by ckeditor then it would be very much appreciated. Otherwise we will have to manually apply the change into the older versions.

Thanks Raj

Changed 12 years ago by Frederico Caldeira Knabben

Attachment: 9289.patch added

comment:4 Changed 12 years ago by Frederico Caldeira Knabben

Milestone: CKEditor 3.6.5
Owner: set to Frederico Caldeira Knabben
Status: confirmedreview

comment:5 Changed 12 years ago by Garry Yao

Status: reviewreview_passed

comment:6 Changed 11 years ago by Frederico Caldeira Knabben

Resolution: fixed
Status: review_passedclosed

Fixed with [7603].

comment:7 Changed 11 years ago by TomNM

First, I don't understand how this is a general problem. I disagree with removing the ability to add javascript: links. If the preview merely displayed the link with the correctly href value, why would it fire automatically? Why wouldn't someone just enter their javascript in source mode to fire their malicious script.

Why can't there simply be a protocol option called "javascript"?

Note: See TracTickets for help on using tickets.
© 2003 – 2022, CKSource sp. z o.o. sp.k. All rights reserved. | Terms of use | Privacy policy