Opened 11 years ago

Last modified 10 years ago

#9810 confirmed Bug

Links pasted into CKEditor become active in read-only mode

Reported by: Johannes Fischer Owned by:
Priority: Normal Milestone:
Component: Core : Read-only Version: 3.6
Keywords: Cc:

Description

If a link contains more markup within the <a> tag, the click event will succeed to open the page behind the link in editor's window while the editor is in read-only mode.

This can currently be reproduced using the online example of CKEditor 4 (http://nightly.ckeditor.com/latest/ckeditor/samples/readonly.html).

The following steps describe my test scenario:

  1. Open the read-only sample page
  2. Click on the 'CKEditor' link of the sample text within the editor. Nothing happens, as expected.
  3. Click the 'Make it read-only' button and click once again on the 'CKEditor' link mentioned above. Nothing happens, as expected.
  4. Click the 'Make it editable again' button below the editor to leave the read-only mode.
  5. Replace the content of the editor window with the HTML provided in the attached text file (may have to use source mode in order to do that)
  6. Click on 'world junior hopefuls' link while in editable mode. Nothing happens, as expected.
  7. Switch to read-only mode and click on 'world junior hopefuls' link again. Now, the news article behind this link will open inside CKEditor's window.

It seems that the <font> tag inside the anchor prevents the click protection from functioning while the editor is in read-only mode.

I am not sure if the nightly samples are off the master branch, but I could reproduce it in my environment using the master, so I chose to select it here. Please correct if necessary.

Please let me know if you need more information.

Thanks, Johannes

Attachments (1)

sample_markup.txt (634 bytes) - added by Johannes Fischer 11 years ago.
Sample markup that will allow the click on the link to go through when in read-only mode

Download all attachments as: .zip

Change History (7)

Changed 11 years ago by Johannes Fischer

Attachment: sample_markup.txt added

Sample markup that will allow the click on the link to go through when in read-only mode

comment:1 Changed 11 years ago by Johannes Fischer

Downloaded 4.0 release a tested the issue in there with the same result.

comment:2 Changed 11 years ago by Jakub Ś

Status: newconfirmed
Version: 4.0.13.6

This problem can be reproduced from CKEditor 3.6 (when read-only was introduced) in every browser.

It seems when there is something in a tag like span or font, links will work in read-only mode.

comment:3 Changed 11 years ago by Carlos Escribano

Any news regarding the resolution of the issue?

If I go to the demo page (http://ckeditor.com/demo#read-only) and input the following code...

<p><a href="http://ckeditor.com"><img src="http://a.cksource.com/e/1/img/logo-ckeditor-h100.png" /></a></p>

...in read-only mode I'm able to click over the image and access the ckeditor site inside the editor!

comment:4 Changed 11 years ago by Johannes Fischer

This is the workaround support proposed to us:

var editor = CKEDITOR.replace( 'editor1' );		

editor.on('pluginsLoaded',  function( evt ){ //works on initial code and when switching from source to wysiwyg,
						evt.editor.dataProcessor.dataFilter.addRules({
	elements :{
		span : function( element )	{
			if(element.parent.name === 'a'){
				delete element.name; 
			}
		}
	});
});		

We were able to successfully use this approach in our environment. Hope that helps.

Thanks, Johannes

Last edited 11 years ago by Jakub Ś (previous) (diff)

comment:5 Changed 11 years ago by Jakub Ś

@jfischer, please note that this workaround removes "a" tag and leaves its contents (If I remember correctly you wanted to minimize security threats so I have come up with something like this). If anyone wants his "a" tag not being touched then he should not use this.


For those who want to preserve "a" tag the simplest solution would be inserting onclick="return false;":

<p><a href="http://ckeditor.com" onclick="return false;"><img src="http://a.cksource.com/e/1/img/logo-ckeditor-h100.png" /></a></p> 

but editor protects against inline event handlers and changes them in WYSIWYG into e.g. data-cke-pa-onclick="return false;. Of course clicking link with such attribute will not prevent it from working.

Perhaps editor could change inline event handlers data-cke-pa-onclick="return false; into onclick="return false; when in read-only mode?
There is another security issue to concern if this gets implemented - what if someone makes editor read-only and then submits form? Well... server-side application should use filters to check (e.g. remove all or leave only those that have only "remove false") such inline event handlers, additional (yes filters still should to be used) option for devs would be hiding save buttons when editor is read-only.

comment:6 Changed 10 years ago by Jakub Ś

#7145 looks related to this one.

Last edited 10 years ago by Jakub Ś (previous) (diff)
Note: See TracTickets for help on using tickets.
© 2003 – 2022, CKSource sp. z o.o. sp.k. All rights reserved. | Terms of use | Privacy policy