id summary reporter owner description type status priority milestone component version resolution keywords cc 9637 Scripts can be executed from ckeditor using preview plugin Rajasimhan "Copy pasting a HTML snippet from a browser window containing scripts opens channel for the execution of the script from ckeditor using the preview plugin. Replication steps: 1. Create a test html page with the following content test 2. Save the html and open it using a browser. 3. Copy the content of the rendered html ( i.e the hyperlinked word “test”) and paste it in RTE. 4. Click the preview plugin in RTE. 5. In the preview window that opens, if the hyperlink ‘test’ is clicked it will execute the script. This posses a security threat as it opens a channel for executing malicious script can be executed from ckeditor. Writing a server code to filter the scripts will not help as it might corrupt the data. Another problem is that server code will trigger only when data is posted but in this case scripts can be executed using preview pluign even before posting data." Bug confirmed Normal General 3.6.2 Oracle senthil.kumaran@… pramod.agrawal@…