id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc
9637	Scripts can be executed from ckeditor using preview plugin	Rajasimhan		"Copy pasting a HTML snippet from a browser window containing scripts opens channel for the execution of the script from ckeditor using the preview plugin.

Replication steps:
1. Create a test html page with the following content 
    <html>
    <head></head>
    <body>
              <a href=""javascript:alert('Executing                                     
                    Javascript:alert()')"">test</a>
              <script>alert('Script Tag') </script>
    </body>
    </html>
2. Save the html and open it using a browser.
3. Copy the content of the rendered html ( i.e the hyperlinked word “test”) and paste it in RTE.
4. Click the preview plugin in RTE. 
5. In the preview window that opens, if the hyperlink ‘test’ is clicked it will execute the script.


This posses a security threat as it opens a channel for executing malicious script can be executed from ckeditor. Writing a server code to filter the scripts will not help as it might corrupt the data. Another problem is that server code will trigger only when data is posted but in this case scripts can be executed using preview pluign even before posting data."	Bug	confirmed	Normal		General	3.6.2		Oracle	senthil.kumaran@… pramod.agrawal@…