Opened 6 years ago

Last modified 5 years ago

#9810 confirmed Bug

Links pasted into CKEditor become active in read-only mode

Reported by: Johannes Fischer Owned by:
Priority: Normal Milestone:
Component: Core : Read-only Version: 3.6
Keywords: Cc:

Description

If a link contains more markup within the <a> tag, the click event will succeed to open the page behind the link in editor's window while the editor is in read-only mode.

This can currently be reproduced using the online example of CKEditor 4 (http://nightly.ckeditor.com/latest/ckeditor/samples/readonly.html).

The following steps describe my test scenario:

  1. Open the read-only sample page
  2. Click on the 'CKEditor' link of the sample text within the editor. Nothing happens, as expected.
  3. Click the 'Make it read-only' button and click once again on the 'CKEditor' link mentioned above. Nothing happens, as expected.
  4. Click the 'Make it editable again' button below the editor to leave the read-only mode.
  5. Replace the content of the editor window with the HTML provided in the attached text file (may have to use source mode in order to do that)
  6. Click on 'world junior hopefuls' link while in editable mode. Nothing happens, as expected.
  7. Switch to read-only mode and click on 'world junior hopefuls' link again. Now, the news article behind this link will open inside CKEditor's window.

It seems that the <font> tag inside the anchor prevents the click protection from functioning while the editor is in read-only mode.

I am not sure if the nightly samples are off the master branch, but I could reproduce it in my environment using the master, so I chose to select it here. Please correct if necessary.

Please let me know if you need more information.

Thanks, Johannes

Attachments (1)

sample_markup.txt (634 bytes) - added by Johannes Fischer 6 years ago.
Sample markup that will allow the click on the link to go through when in read-only mode

Download all attachments as: .zip

Change History (7)

Changed 6 years ago by Johannes Fischer

Attachment: sample_markup.txt added

Sample markup that will allow the click on the link to go through when in read-only mode

comment:1 Changed 6 years ago by Johannes Fischer

Downloaded 4.0 release a tested the issue in there with the same result.

comment:2 Changed 6 years ago by Jakub Ś

Status: newconfirmed
Version: 4.0.13.6

This problem can be reproduced from CKEditor 3.6 (when read-only was introduced) in every browser.

It seems when there is something in a tag like span or font, links will work in read-only mode.

comment:3 Changed 6 years ago by Carlos Escribano

Any news regarding the resolution of the issue?

If I go to the demo page (http://ckeditor.com/demo#read-only) and input the following code...

<p><a href="http://ckeditor.com"><img src="http://a.cksource.com/e/1/img/logo-ckeditor-h100.png" /></a></p>

...in read-only mode I'm able to click over the image and access the ckeditor site inside the editor!

comment:4 Changed 6 years ago by Johannes Fischer

This is the workaround support proposed to us:

var editor = CKEDITOR.replace( 'editor1' );		

editor.on('pluginsLoaded',  function( evt ){ //works on initial code and when switching from source to wysiwyg,
						evt.editor.dataProcessor.dataFilter.addRules({
	elements :{
		span : function( element )	{
			if(element.parent.name === 'a'){
				delete element.name; 
			}
		}
	});
});		

We were able to successfully use this approach in our environment. Hope that helps.

Thanks, Johannes

Last edited 6 years ago by Jakub Ś (previous) (diff)

comment:5 Changed 6 years ago by Jakub Ś

@jfischer, please note that this workaround removes "a" tag and leaves its contents (If I remember correctly you wanted to minimize security threats so I have come up with something like this). If anyone wants his "a" tag not being touched then he should not use this.


For those who want to preserve "a" tag the simplest solution would be inserting onclick="return false;":

<p><a href="http://ckeditor.com" onclick="return false;"><img src="http://a.cksource.com/e/1/img/logo-ckeditor-h100.png" /></a></p> 

but editor protects against inline event handlers and changes them in WYSIWYG into e.g. data-cke-pa-onclick="return false;. Of course clicking link with such attribute will not prevent it from working.

Perhaps editor could change inline event handlers data-cke-pa-onclick="return false; into onclick="return false; when in read-only mode?
There is another security issue to concern if this gets implemented - what if someone makes editor read-only and then submits form? Well... server-side application should use filters to check (e.g. remove all or leave only those that have only "remove false") such inline event handlers, additional (yes filters still should to be used) option for devs would be hiding save buttons when editor is read-only.

comment:6 Changed 5 years ago by Jakub Ś

#7145 looks related to this one.

Last edited 5 years ago by Jakub Ś (previous) (diff)
Note: See TracTickets for help on using tickets.
© 2003 – 2019 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy