id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc
9289	JS can be entered using the protocl type 'Other' in links plugin and executed via Preview plugin	Rajasimhan	Frederico Caldeira Knabben	"Links plugin has a protocol type called 'other' using which one can enter javascript. When the user previews the content the javascript gets executed. This capability allows malicious JS to be executed from the peoplesoft product that houses the ckeditor. Links pluign must somehow filter the javascript entered via the url.


Replication steps.

1. Enter some text, select it and click the links plugin.
2. Select protocol type 'Other' and provide the following value in 
   the url field 'javascript:alert(1)'. Click ok.
3. Click the preview plguin. JS will be executed"	Bug	closed	Normal	CKEditor 3.6.5	General	3.0	fixed	Oracle	senthil.kumaran@…