Opened 12 years ago
Closed 11 years ago
#9930 closed Bug (fixed)
XSS onLoad error in Source Mode
| Reported by: | David Walsh | Owned by: | |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | General | Version: | 3.0 |
| Keywords: | Webkit | Cc: |
Description
There's an XSS flaw in versions 3.6.4 and 4.0.1
Steps to reproduce:
- Enter source mode
- Add "<svg><circle onload=confirm(3)>" somewhere in the code
- Click "Source" again
- View the confirmation popup
Change History (4)
comment:1 Changed 12 years ago by
| Status: | new → confirmed |
|---|---|
| Version: | → 3.0 |
comment:2 Changed 12 years ago by
| Status: | confirmed → pending |
|---|
I remember this was discussed and fixed in - #8630.
@davidwalsh I have tried your TC and was not able to reproduce this neither in CKEditor 3.6.4-6 and CKEditor 4.x. What is the exact TC (@davidwalsh or @Reinmar)?
comment:3 Changed 12 years ago by
| Keywords: | Webkit added |
|---|---|
| Status: | pending → confirmed |
It is not reproducible on FF and Opera (and perhaps IE). But I reproduced it on Chrome and Safari. TC is simple - paste that HTML into source mode and switch to wysiwyg.
It was indeed discussed and fixed in #8630, but as we can see, with the exception of this case.
comment:4 Changed 11 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | confirmed → closed |
Fixed with #11635 in 4.3.4.
Note: See
TracTickets for help on using
tickets.
Interestingly <body onload="alert(1)"> when fullPage:true doesn't cause any problem.