CKEditor 4
Thu, 11/07/2013 - 16:28
#1
synchro
synchro's picture
Joined: 10/12/2007
Posts: 64

Escaping HTML in richcombo values

I'm using the strinsert plugin to inject HTML snippets into my editor. It works fine for plain-text content, but fails for HTML (and some other markup) content because it doesn't escape it. I traced this to the add function of the richcombo element:

add: function(a, b, c) {
    this._.items[a] = c || a;
    this._.list.add(a, b, c)
},

The problem here is that a can contain a string which breaks the HTML. Here's a minimal plugin that demonstrates the problem:

CKEDITOR.plugins.add('mytags',
{
    requires : ['richcombo'],
    init : function( editor )
    {
        editor.ui.addRichCombo('mytags',
        {
            label: 'My tags',
            title: 'My tags',
            voiceLabel: 'My tags',
            className: 'cke_format',
            multiSelect:false,
            panel:
            {
                css: [ editor.config.contentsCss, CKEDITOR.skin.getPath('editor') ],
                voiceLabel: editor.lang.panelVoiceLabel
            },
        
            init: function()
            {
                this.add('<span class="test">test</span>', 'Test', 'Test');
                this.add('"test2"', 'Test2', 'Test2');
                this.add('test3', 'Test3', 'Test3');
           },
            onClick: function( value )
            {
                editor.focus();
                editor.fire( 'saveSnapshot' );
                editor.insertText(value);
                editor.fire( 'saveSnapshot' );
            }
        });
    }
});

The onClick handler can be ignored as the problem arises before it is used; whether you use insertText or insertHTML makes no difference.

The first item in the menu contains

test')" onclick="CKEDITOR.tools.callFunction(215,'…

instead of the expected Test, and selecting the malformed menu item this creates results in a Syntax error: Unexpected EOF on the console. The second item appears correctly in the menu, but clicking it results in the same syntax error. It appears to be the double quotes that are causing it problems; Removing the double quotes works fine, as demonstrated by the third item.

I can't think of any circumstance where you would want this behaviour; there needs to be some form of escaping in the add function to prevent this from happening. This may also apply to other components which add items in a similar way.

Since this breaks out of escaping, it might also represent an opportunity for XSS injection.

 

Top
Fri, 11/08/2013 - 09:41
reinmar
reinmar's picture
Joined: 24/08/2012
Posts: 631

Easiest workaround is to use

Easiest workaround is to use only /[\w\d]+/  values which are keys in an object storing final HTML strings:

editor.insertHtml( htmlStringsHash[ this.value ] )

But we're discussing now which characters should method add() accept.

Ticket: http://dev.ckeditor.com/ticket/11101.

Piotrek (Reinmar) Koszuliński
CKEditor JavaScript Developer
--
CKSource - http://cksource.com
--
Follow CKEditor on: Twitter | Facebook | Google+

Top
Twitter Facebook Facebook Instagram Medium Linkedin GitHub Arrow down Phone Menu Close icon Check