Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#9289 closed Bug (fixed)

JS can be entered using the protocl type 'Other' in links plugin and executed via Preview plugin

Reported by: Rajasimhan Owned by: Frederico Caldeira Knabben
Priority: Normal Milestone: CKEditor 3.6.5
Component: General Version: 3.0
Keywords: Oracle Cc: senthil.kumaran@…

Description

Links plugin has a protocol type called 'other' using which one can enter javascript. When the user previews the content the javascript gets executed. This capability allows malicious JS to be executed from the peoplesoft product that houses the ckeditor. Links pluign must somehow filter the javascript entered via the url.

Replication steps.

  1. Enter some text, select it and click the links plugin.
  2. Select protocol type 'Other' and provide the following value in the url field 'javascript:alert(1)'. Click ok.
  3. Click the preview plguin. JS will be executed

Attachments (1)

9289.patch (1.1 KB) - added by Frederico Caldeira Knabben 5 years ago.

Download all attachments as: .zip

Change History (8)

comment:1 Changed 5 years ago by Frederico Caldeira Knabben

We'll introduce a check to avoid accepting javascript: links in the dialog.

comment:2 Changed 5 years ago by Jakub Ś

Status: newconfirmed
Version: 3.6.33.0

We'll introduce a check to avoid accepting JavaScript: links in the dialog.

Perhaps this should be made optional with usage of some configuration option? Just in case if there are users that insert such links (users with good intentions :))

Oracle is probably using CKE 3.6.3 so they want this fix to be compatible with this version.

comment:3 Changed 5 years ago by Rajasimhan

Hi, We are currently on ckeditor 3.6.2 and not on 3.6.3. Please provide a fix in 3.6.2. We would also have to backport the fix to 3.5.3 and 3.3.0. Can we apply the same/similar code change to 3.5.3 and 3.3.0 also?

If the fix for 3.5.3 and 3.3.0 is provided by ckeditor then it would be very much appreciated. Otherwise we will have to manually apply the change into the older versions.

Thanks Raj

Changed 5 years ago by Frederico Caldeira Knabben

Attachment: 9289.patch added

comment:4 Changed 5 years ago by Frederico Caldeira Knabben

Milestone: CKEditor 3.6.5
Owner: set to Frederico Caldeira Knabben
Status: confirmedreview

comment:5 Changed 5 years ago by Garry Yao

Status: reviewreview_passed

comment:6 Changed 5 years ago by Frederico Caldeira Knabben

Resolution: fixed
Status: review_passedclosed

Fixed with [7603].

comment:7 Changed 5 years ago by TomNM

First, I don't understand how this is a general problem. I disagree with removing the ability to add javascript: links. If the preview merely displayed the link with the correctly href value, why would it fire automatically? Why wouldn't someone just enter their javascript in source mode to fire their malicious script.

Why can't there simply be a protocol option called "javascript"?

Note: See TracTickets for help on using tickets.
© 2003 – 2017 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy