Opened 12 years ago
Last modified 10 years ago
#9810 confirmed Bug
Links pasted into CKEditor become active in read-only mode
Reported by: | Johannes Fischer | Owned by: | |
---|---|---|---|
Priority: | Normal | Milestone: | |
Component: | Core : Read-only | Version: | 3.6 |
Keywords: | Cc: |
Description
If a link contains more markup within the <a> tag, the click event will succeed to open the page behind the link in editor's window while the editor is in read-only mode.
This can currently be reproduced using the online example of CKEditor 4 (http://nightly.ckeditor.com/latest/ckeditor/samples/readonly.html).
The following steps describe my test scenario:
- Open the read-only sample page
- Click on the 'CKEditor' link of the sample text within the editor. Nothing happens, as expected.
- Click the 'Make it read-only' button and click once again on the 'CKEditor' link mentioned above. Nothing happens, as expected.
- Click the 'Make it editable again' button below the editor to leave the read-only mode.
- Replace the content of the editor window with the HTML provided in the attached text file (may have to use source mode in order to do that)
- Click on 'world junior hopefuls' link while in editable mode. Nothing happens, as expected.
- Switch to read-only mode and click on 'world junior hopefuls' link again. Now, the news article behind this link will open inside CKEditor's window.
It seems that the <font> tag inside the anchor prevents the click protection from functioning while the editor is in read-only mode.
I am not sure if the nightly samples are off the master branch, but I could reproduce it in my environment using the master, so I chose to select it here. Please correct if necessary.
Please let me know if you need more information.
Thanks, Johannes
Attachments (1)
Change History (7)
Changed 12 years ago by
Attachment: | sample_markup.txt added |
---|
comment:1 Changed 12 years ago by
Downloaded 4.0 release a tested the issue in there with the same result.
comment:2 Changed 12 years ago by
Status: | new → confirmed |
---|---|
Version: | 4.0.1 → 3.6 |
This problem can be reproduced from CKEditor 3.6 (when read-only was introduced) in every browser.
It seems when there is something in a tag like span or font, links will work in read-only mode.
comment:3 Changed 12 years ago by
Any news regarding the resolution of the issue?
If I go to the demo page (http://ckeditor.com/demo#read-only) and input the following code...
<p><a href="http://ckeditor.com"><img src="http://a.cksource.com/e/1/img/logo-ckeditor-h100.png" /></a></p>
...in read-only mode I'm able to click over the image and access the ckeditor site inside the editor!
comment:4 Changed 12 years ago by
This is the workaround support proposed to us:
var editor = CKEDITOR.replace( 'editor1' ); editor.on('pluginsLoaded', function( evt ){ //works on initial code and when switching from source to wysiwyg, evt.editor.dataProcessor.dataFilter.addRules({ elements :{ span : function( element ) { if(element.parent.name === 'a'){ delete element.name; } } }); });
We were able to successfully use this approach in our environment. Hope that helps.
Thanks, Johannes
comment:5 Changed 12 years ago by
@jfischer, please note that this workaround removes "a" tag and leaves its contents (If I remember correctly you wanted to minimize security threats so I have come up with something like this). If anyone wants his "a" tag not being touched then he should not use this.
For those who want to preserve "a" tag the simplest solution would be inserting onclick="return false;"
:
<p><a href="http://ckeditor.com" onclick="return false;"><img src="http://a.cksource.com/e/1/img/logo-ckeditor-h100.png" /></a></p>
but editor protects against inline event handlers and changes them in WYSIWYG into e.g.
data-cke-pa-onclick="return false;
. Of course clicking link with such attribute will not prevent it from working.
Perhaps editor could change inline event handlers data-cke-pa-onclick="return false;
into onclick="return false;
when in read-only mode?
There is another security issue to concern if this gets implemented - what if someone makes editor read-only and then submits form? Well... server-side application should use filters to check (e.g. remove all or leave only those that have only "remove false") such inline event handlers, additional (yes filters still should to be used) option for devs would be hiding save buttons when editor is read-only.
Sample markup that will allow the click on the link to go through when in read-only mode