JS can be entered using the protocl type 'Other' in links plugin and executed via Preview plugin

[Rajasimhan]

Links plugin has a protocol type called 'other' using which one can enter javascript. When the user previews the content the javascript gets executed. This capability allows malicious JS to be executed from the peoplesoft product that houses the ckeditor. Links pluign must somehow filter the javascript entered via the url.

Replication steps.

1. Enter some text, select it and click the links plugin.
2. Select protocol type 'Other' and provide the following value in the url field 'javascript:alert(1)'. Click ok.
3. Click the preview plguin. JS will be executed

[Frederico Caldeira Knabben]

We'll introduce a check to avoid accepting javascript: links in the dialog.

[Jakub Ś]

We'll introduce a check to avoid accepting JavaScript: links in the dialog.

Perhaps this should be made optional with usage of some configuration option? Just in case if there are users that insert such links (users with good intentions :))

Oracle is probably using CKE 3.6.3 so they want this fix to be compatible with this version.

[Rajasimhan]

Hi, We are currently on ckeditor 3.6.2 and not on 3.6.3. Please provide a fix in 3.6.2. We would also have to backport the fix to 3.5.3 and 3.3.0. Can we apply the same/similar code change to 3.5.3 and 3.3.0 also?

If the fix for 3.5.3 and 3.3.0 is provided by ckeditor then it would be very much appreciated. Otherwise we will have to manually apply the change into the older versions.

Thanks Raj

[Frederico Caldeira Knabben]

Fixed with [7603].

[TomNM]

First, I don't understand how this is a general problem. I disagree with removing the ability to add javascript: links. If the preview merely displayed the link with the correctly href value, why would it fire automatically? Why wouldn't someone just enter their javascript in source mode to fire their malicious script.

Why can't there simply be a protocol option called "javascript"?