Opened 6 years ago

Closed 5 years ago

#9930 closed Bug (fixed)

XSS onLoad error in Source Mode

Reported by: David Walsh Owned by:
Priority: Normal Milestone:
Component: General Version: 3.0
Keywords: Webkit Cc:

Description

There's an XSS flaw in versions 3.6.4 and 4.0.1

Steps to reproduce:

  1. Enter source mode
  2. Add "<svg><circle onload=confirm(3)>" somewhere in the code
  3. Click "Source" again
  4. View the confirmation popup

Change History (4)

comment:1 Changed 6 years ago by Piotrek Koszuliński

Status: newconfirmed
Version: 3.0

Interestingly <body onload="alert(1)"> when fullPage:true doesn't cause any problem.

comment:2 Changed 6 years ago by Jakub Ś

Status: confirmedpending

I remember this was discussed and fixed in - #8630.

@davidwalsh I have tried your TC and was not able to reproduce this neither in CKEditor 3.6.4-6 and CKEditor 4.x. What is the exact TC (@davidwalsh or @Reinmar)?

comment:3 Changed 6 years ago by Piotrek Koszuliński

Keywords: Webkit added
Status: pendingconfirmed

It is not reproducible on FF and Opera (and perhaps IE). But I reproduced it on Chrome and Safari. TC is simple - paste that HTML into source mode and switch to wysiwyg.

It was indeed discussed and fixed in #8630, but as we can see, with the exception of this case.

comment:4 Changed 5 years ago by Piotrek Koszuliński

Resolution: fixed
Status: confirmedclosed

Fixed with #11635 in 4.3.4.

Note: See TracTickets for help on using tickets.
© 2003 – 2019 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy